Responsible Disclosure Policy

In addition to the security testing we regularly conduct internally and hire third-parties to conduct for us, we occasionally have people report possible vulnerabilities.

This page outlines our procedures for those reports.

If you've discovered a security vulnerability, please do not share it publicly. Instead, we ask that you report it directly to us by emailing security [at] geocod.io and encrypt the message if necessary. Geocodio's PGP key can be found at https://www.geocod.io/pgp-key.txt.

Rules for you

• Avoid data deletion, unauthorized data access, and service disruption while testing the vulnerability you found.
• Do no attempt to access or modify data that does not belong to you.
• Do not execute, or attempt to execute, a Denial of Service (DoS) attack.
• Do not run any automated tools against our servers without prior permission.
• Kindly do not publicly share the issue details until we confirm that the vulnerability has been fixed.
• Do not attempt to blackmail us or try to sell us your security report. When in doubt, contact us at security@geocod.io.

Rules for us

• We will not pursue any legal action against you if you obey the rules above.
• We will reply to all correctly submitted reports and we will work with you on fixing the issue.
• We will perform our own risk assessment for every reported vulnerability.
• If your report is not eligible, we will let you know the reason why.
• We will let you decide whether you want to be publicly acknowledged for your report.

Hall of Fame

We're extremely grateful to the following people who have helped us improve the security of Geocodio.

• Het Mehta
• Durgesh Patil
• Kunal Mhaske
• Rishabh Lalchand Pardeshi
• Gaurang Maheta
• Harinder Singh (S1N6H)
• Rutvik Kalkumbe
• Debprasad Banerjee
• Mohamed Usman
• Milan Jain
• Suprit Pandurangi
• Md Asif Hossain
• Yash Devkate (rootxyash)
• Madhurendra Kumar
• Ori Levi
• Vaishnavi Lalchand Pardeshi
• Gaurang Maheta

No Bounty

• We do not offer cash compensation for security reports at this time.

What does not qualify?

• Vulnerabilities to timing and DOS attacks.

• Vulnerabilities that have been previously reported by another user.

• Known vulnerabilities in the components of our technological stack reported within 48 hours since their public reveal.

• Security issues only reproducible under highly unlikely conditions (including but not limited to: using outdated or exotic web browsers, operating systems, or insecure internet connections).

• Security issues that rely on social engineering, spam, or physical security testing.

• Bugs or functionality that prove that a tested email address exists in our database as well as the theoretical ability to brute-force such functionality.

• Vulnerabilities that we determine to be an accepted risk, including but not limited to:

  • Ability to sign up and use our services without confirming an email address.
  • Lack of CAPTCHAs on forms.
  • Lack of use of hardfail (-all) on SPF records.
  • Lack of a reject record in DMARC.