We welcome security reports in our products and systems, and will list public reports (with acknowledgements) on our sites. We don't run a bug bounty program, though we may supply merch to acknowledge useful reports.
How to report an issue to us
If you are a customer, kindly raise your report through our Support channel (support@canary.tools).
If you are not a customer:
- For our Canarytokens and OpenCanary Open Source projects, please use Github's reporting tool (quick links: Canarytokens, and OpenCanary).
- For any other issues, including in our commercial Canary product or in our infrastructure, send an email to security@thinkst.com. You can optionally GPG encrypt any emails sent there with this key.
If you have a deadline for public disclosure, please let us know.
In your report, kindly include all details you think we need to validate the report, and please provide a mechanism by which we may contact you for followup details. A working email suffices for this.
Scope
The following are products we accept reports for:
- Thinkst Canary (all platforms as well as the management Console and any related infrastructure)
- Canarytokens.org
- OpenCanary
- Citation
- Domains that can be positively tied to Thinkst
We welcome reports such as remote code execution vulnerabilities in Canary or OpenCanary, Cross-site Scripting issues in Canarytokens.org or Citation, cross-tenant data leakage in Canary, and issues in infrastructure that support our services.
We will not issue CVEs (or fixes) for out-of-date or end-of-life software, volumetric Denial-of-Service reports (or similar resource exhaustion attacks), software not written by us, and issues that are only reachable through local access to our devices.
We may differ with you on whether the reported issue constitutes a security vulnerability in our view. When we differ, we will endeavour to explain our reasoning.
What to expect from us
We intend to provide an initial response to reporters within three business days. We may ask for additional details or clarifications, and we may ask for assistance in testing proposed fixes.
Thinkst is a CNA and can assign CVEs in our own products; we will do so if the security report is validated. We aim to reach that determination within seven business days of the initial report. If a CVE has been assigned in our commercial products, we will publish an advisory at https://canary.tools/security-advisories. Our Open Source projects have security pages on Github.
If the software does not fall within our scope, we will redirect the reporter to an appropriate CNA. If the report cannot be validated, we will generally request additional information.
We will abide by embargoes for non-public issues; where an embargo has been broken or there is evidence of abuse then we reserve the right to release fixes before the embargo date.
We will credit reporters in our advisories and CVE assignments who report bugs to us through the process described in this policy.
Safe harbour
Should you find a security issue that gives you access to Thinkst's customers' data or Thinkst company data, you promptly stop your testing and report the issue to us. Continuing to access that data moves your actions out of the safe harbour of security testing.