Report a Security Vulnerability

If you find a vulnerability in an OpenResty Inc. product, please read the OpenResty Inc. Vulnerability Disclosure Policy before reporting it (refer to the form below).

OpenResty Inc.'s Vulnerability Disclosure Policy

Before reporting any vulnerabilities, we encourage you to read this disclosure policy thoroughly and follow it.

Effective disclosure of security vulnerabilities, according to OpenResty Inc., needs mutual trust, respect, transparency, and the common good between OpenResty Inc. and Security Researchers. Together, we ensure the security and privacy of OpenResty Inc. users, products, and services.

When you find a vulnerability

• Please submit a detailed report that includes step-by-step instructions for reproducing the vulnerability.
• Until the issue is rectified, avoid revealing the vulnerability to the public or to any third parties.
• Make a good-faith attempt to avoid infringing OpenResty Inc. customer data privacy. If at all feasible, test with your own accounts.
• Never destroy or tamper with OpenResty Inc. client data that isn't yours.
• Following the tests, clean up. If your vulnerability necessitates leaving malicious entries or files on an OpenResty Inc. property, please erase or hide them once the vulnerability has been demonstrated.

What we'll do

• We will review your report as soon as possible.
• If we can't reproduce the problem, we'll contact you for more information.

Scope

In scope' vulnerabilities must be original, previously unreported, and not already discovered by internal procedures.

When you find a vulnerability

• OpenResty Plus: plus.openresty.com(.cn)
• OpenResty Edge: *.trialadmin.openresty.com
• OpenResty XRay: *.xray.openresty.com(.cn)

Reports of non-exploitable vulnerabilities, or reports indicating that our services do not fully align with 'best practice' (e.g. missing security headers) are not in scope.

What to Expect

We will respond to your report within 5 working days after you submit it, and we will try to triage it within 10 working days. If you've registered for an account on OpenResty, we'll keep you updated on our progress throughout the process.

Safe Harbor

All vulnerability research should be

• Authorized in accordance with the Computer Fraud and Abuse Act (CFAA).
• Exempt from the Digital Millennium Copyright Act (DMCA)
• Lawful

Notifying OpenResty Inc. of a Security Vulnerability

Please report any vulnerabilities you find in an OpenResty Inc. product using the Report Form. In your report, please provide the following information:

In your report, please provide the following information

• A full description of the issue, including the product's name
• The nature of the security issue
• Your contact information