As a company founded by security researchers, Duo Security is passionate about ensuring that our interactions with security researchers are positive and respectful. We treat each report we receive with the utmost seriousness while we evaluate the potential impact that it could have for our customers across the various products & services we offer.
During this process, Duo Security will communicate as promptly as we’re able until completion of our investigation and any necessary remediation. We thank you for your time & expertise to improve the security of our company and customers.
To ensure a great experience with Duo Security, we ask that researchers follow these simple rules of engagement to limit the potential that company and/or customer data may be at risk:
If you are ever unclear on how far your testing should go, please reach out to the Duo Security PSIRT to coordinate testing with us. We can often validate your suspicions in simple ways that can reduce the chance of harm occurring to our services & customers.
While many of the security reports Duo Security receives are of a useful nature, we do want to specify that a number of report types are not of interest at this time. This list is not all inclusive, but may save researchers time sending us reports that we will ultimately reply back to stating that we will not be taking action. We appreciate you reviewing this list before a submission.
The most responsive way to reach out to Duo Security with a potential product or service security issue is by emailing us at firstname.lastname@example.org. This goes directly to our Product Security Incident Response Team (PSIRT) and will ensure a smooth communication process. We welcome you to encrypt communications to us through the use of our GPG key and will reciprocate if we deem the contents of further emails to need assurances of confidentiality.
For an Online Service Security Issue…
For a Packaged Software Security Issue…
For ALL Security Issues, Please Also Include…
Duo Security will provide an initial acknowledgement of your security report within 24 hours under normal circumstances once our PSIRT receives it. At this time, we will likely follow up with additional questions to ensure we fully understand the report and its potential impact. Following our initial acknowledgement, Duo Security will make every effort to keep reporters aware of the progress on analysis, verification, and any required remediation steps along the way.
If a reported issue has been validated, Duo Security will provide a public acknowledgement in relevant release notes, any Product Security Advisory (PSA) we may release, or blog posts that reference the issue. Duo Security does not operate a bug bounty program at this time, but may choose to reward reporters of issues in some cases, at our discretion.
Once a security report has been triaged, additional steps may take place internal to Duo Security to remediate a concern that may extend many weeks or months if the severity is low enough. In these cases, we will let you know that we plan to fix our issue, but will be unable to guarantee a timeline in those cases due to the nature of remediation prioritization.
We appreciate the opportunity to coordinate disclosure with you for any planned blog posts, conference presentations, or other situations that you may discuss your findings. Duo Security ourselves are researchers and publish details on how we manage this process with others in our Disclosure Policy.