As a company founded by security researchers, Duo Security is passionate about ensuring that our interactions with security researchers are positive and respectful. We treat each report we receive with the utmost seriousness while we evaluate the potential impact that it could have for our customers across the various products & services we offer.
During this process, Duo Security will communicate as promptly as we’re able until completion of our investigation and any necessary remediation. We thank you for your time & expertise to improve the security of our company and customers.
Rules of Engagement
To ensure a great experience with Duo Security, we ask that researchers follow these simple rules of engagement to limit the potential that company and/or customer data may be at risk:
- Do not exploit identified vulnerabilities in a manner that risks the confidentiality, integrity, and/or availability of any resources not explicitly owned by you during testing processes.
- Do not use your findings to phish, spam, social engineer, or otherwise defraud any customers or Duo Security employees during the course of testing to gain more access.
- Do not try to physically access Duo Security properties, attempt to social engineer employees, or otherwise try to discover risk beyond digital means against Duo Security.
- Do not perform denial of services (DoS) or distributed denial of service (DDoS) attacks against any Duo Security resource to prove an impact for a suspected security issue.
If you are ever unclear on how far your testing should go, please reach out to the Duo Security PSIRT to coordinate testing with us. We can often validate your suspicions in simple ways that can reduce the chance of harm occurring to our services & customers.
How to Report Security Issues to Duo
The most responsive way to reach out to Duo Security with a potential product or service security issue is by emailing us at email@example.com. This goes directly to our Product Security Incident Response Team (PSIRT) and will ensure a smooth communication process. We welcome you to encrypt communications to us through the use of our GPG key and will reciprocate if we deem the contents of further emails to need assurances of confidentiality.
What You Should Include in Your Report
For an Online Service Security Issue…
- The date & time when you initially discovered the issue
- The URL(s) where you found the security issue to be applicable
- All relevant headers & parameters used to demonstrate the risk against the service
- Your operating system and browser, with version number, used for all testing
For a Packaged Software Security Issue…
- The name of the Duo Security software you were testing & version number
- The operating system, platform, or other relevant environment details
- As relevant, the configuration file for the software with any secrets redacted
For ALL Security Issues, Please Also Include…
- A description of the type of issue (e.g. Remote Code Execution, Cross-Site Scripting)
- Your perspective of the impact, criticality of the finding, and any abuse cases
- Sample code (i.e. proof-of-concept) and/or tool used to generate an exploit payload
- The best contact information for the finder of the issue (e.g. email, phone)
- Any pre-planned disclosure timeline if you are planning to publish the findings
- Any information you may have accidentally accessed during testing without permission
How Duo Security Will Respond
Duo Security will provide an initial acknowledgement of your security report within 24 hours under normal circumstances once our PSIRT receives it. At this time, we will likely follow up with additional questions to ensure we fully understand the report and its potential impact Following our initial acknowledgement, Duo Security will make every effort to keep reporters aware of the progress on analysis, verification, and any required remediation steps along the way.
If a reported issue has been validated, Duo Security will provide a public acknowledgement in relevant release notes, any Product Security Advisory (PSA) we may release, or blog posts that reference the issue. Duo Security does not operate a bug bounty program at this time, but may choose to reward reporters of issues in some cases, at our discretion.
Once a security report has been triaged, additional steps may take place internal to Duo Security to remediate a concern that may extend many weeks or months if the severity is low enough. In these cases, we will let you know that we plan to fix our issue, but will be unable to guarantee a timeline in those cases due to the nature of remediation prioritization.
We appreciate the opportunity to coordinate disclosure with you for any planned blog posts, conference presentations, or other situations that you may discuss your findings. Duo Security ourselves are researchers and publish details on how we manage this process with others in our Disclosure Policy.