We welcome security reports, and will list public reports (with acknowledgements) on our sites. We don't run a bug bounty program, though we may supply merch to acknowledge useful reports.
Reporting addresses
For issues in our commercial Canary product, kindly see https://canary.tools/.well-known/security.txt for our reporting address and keys.
For issues in our Thinkst domain, kindly see https://thinkst.com/.well-known/security.txt for our reporting address and keys.
For our Open Source projects, please use Github's reporting tool (quick links: Canarytokens, and OpenCanary).
Domain Scope
Domains that can be positively tied to Thinkst.
Testing Scope
Volumetric Denial-of-Service reports (or similar resource exhaustion attacks) are not typically accepted.
Testing Limits
Should you find a security issue that gives you access to Thinkst's customers' data or Thinkst company data, you promptly stop your testing and report the issue to us. Continuing to access that data moves your actions out of the safe harbour of security testing.