If you believe you've found a security issue in the AnonAddy product or service, I encourage you to notify me. I welcome working with you to resolve the issue promptly. Thanks in advance!
- Let me know as soon as possible upon discovery of a potential security issue, and I'll make every effort to quickly resolve the issue.
- Provide me with a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party. I may publicly disclose the issue before resolving it, if appropriate.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of the service. Only interact with accounts you own or with explicit permission of the account holder.
- If you would like to encrypt your report, please use the PGP key with fingerprint
5FCAFD8A67D2A783CFF4D0E31AC6D923E6FB4EF7(available on the openpgp.org keyserver).
To report a vulnerability please send an email to contact@anonaddy.com, you can use the PGP key above if you wish to encrypt it.
- Security issues in any current release of AnonAddy. This includes the web application, browser extension, and landing page. Source code is available at https://github.com/anonaddy.
The following bug classes are out-of scope:
- Bugs that are already reported on any of AnonAddy's issue trackers (https://github.com/anonaddy), or that I already know of.
- Attacks requiring physical access to a user's device.
- Self-XSS
- Issues related to software or protocols not under AnonAddy's control
- Vulnerabilities in outdated versions of AnonAddy
- Missing security best practices that do not directly lead to a vulnerability
- Issues that do not have any impact on the general public
While researching, I'd like to ask you to refrain from:
- Denial of service
- Spamming
- Social engineering (including phishing) of AnonAddy emails
- Any physical attempts against AnonAddy property or data centers
Thank you for helping keep AnonAddy and its users safe!