Two months ago, we started working with HackerOne to set up a security
bug bounty program for our products, because we believe that no
technology is perfect and that working with skilled security researchers
across the globe is crucial in identifying weaknesses.
This bug bounty program is currently invitation-only, though we plan to
make it public very soon. Meanwhile, if you know highly skilled security
researchers interested in looking for issues in our DNS-related
software, written in C++, you can ask them to contact me so that I can
invite them into the program.
The scope of this program covers security issues in:
* PowerDNS Authoritative Server
* PowerDNS Recursive Server
Please note that our websites and infrastructures are in no way part of
this program, and are explicitly out of scope.
Besides our respect and attribution, PowerDNS may provide rewards to
eligible reporters of qualifying vulnerabilities. Rewards include:
* PowerDNS-Branded Clothing (T-Shirts, Polo Shirts, Hoodies).
* Minimum reward of $100 USD for vulnerabilities we consider to be
serious but of low-impact, up to a maximum of $5000 USD for the most
PowerDNS will determine in its discretion whether a reward should be
granted and the amount of the reward. In particular we may choose to pay
higher rewards for severe vulnerabilities or lower rewards for
vulnerabilities that are considered less severe.
A more complete policy is available at HackerOne once you are invited to
our program. Please read it carefully and respect it.