Report a Security Vulnerability

If you find a vulnerability in an OpenResty Inc. product, please read the OpenResty Inc. Vulnerability Disclosure Policy before reporting it (refer to the form below).

OpenResty Inc.'s Vulnerability Disclosure Policy

Before reporting any vulnerabilities, we encourage you to read this disclosure policy thoroughly and follow it.

Effective disclosure of security vulnerabilities, according to OpenResty Inc., needs mutual trust, respect, transparency, and the common good between OpenResty Inc. and Security Researchers. Together, we ensure the security and privacy of OpenResty Inc. users, products, and services.

When you find a vulnerability

What we'll do


In scope' vulnerabilities must be original, previously unreported, and not already discovered by internal procedures.

When you find a vulnerability

Reports of non-exploitable vulnerabilities, or reports indicating that our services do not fully align with 'best practice' (e.g. missing security headers) are not in scope.

What to Expect

We will respond to your report within 5 working days after you submit it, and we will try to triage it within 10 working days. If you've registered for an account on OpenResty, we'll keep you updated on our progress throughout the process.

Safe Harbor

All vulnerability research should be

Notifying OpenResty Inc. of a Security Vulnerability

Please report any vulnerabilities you find in an OpenResty Inc. product using the Report Form. In your report, please provide the following information:

In your report, please provide the following information