Security

Responsible Disclosure & Security Practices

Found a security vulnerability?

[email protected]

We respond to security reports within 24-48 hours

Responsible Disclosure Policy

We take security seriously and appreciate the efforts of security researchers who help us maintain a secure platform. We are committed to working with the security community to verify and respond to legitimate vulnerability reports.

How to Report a Vulnerability

Primary Contact:

Email: [email protected]

Please use PGP encryption for sensitive reports (key below)

What to Include in Your Report

  • Description: Clear description of the vulnerability
  • Impact: Potential impact and severity assessment
  • Steps to Reproduce: Detailed steps to reproduce the issue
  • Proof of Concept: PoC code or screenshots (if applicable)
  • Affected Components: URLs, endpoints, or features affected
  • Your Contact Info: Email and name for acknowledgment
  • CVE ID: If already assigned

Our Commitment to Researchers

Prompt Response

Initial acknowledgment within 24-48 hours

No Legal Action

We will not pursue legal action for good faith research

Public Recognition

Credit in our security hall of fame (with permission)

Transparent Communication

Regular updates on remediation progress

Response Timeline

24-48 Hours

Initial Acknowledgment

We confirm receipt of your report and assign a tracking ID

5-7 Days

Validation & Triage

We validate the vulnerability and assess severity (CVSS score)

30-90 Days

Remediation

We develop and deploy a fix (timeline depends on severity)

After Fix

Disclosure

Coordinated disclosure after patch deployment (90-day default)

Note: Critical vulnerabilities receive priority treatment with faster response times.

Recognition & Rewards

While we don't currently offer a formal bug bounty program with monetary rewards, we deeply appreciate security researchers' contributions.

What We Offer

  • Public Recognition: Listed in our Security Hall of Fame (with your permission)
  • Swag: DNSLookup.pro merchandise for significant findings
  • Professional Reference: LinkedIn endorsement or reference letter
  • CVE Credit: Attribution in CVE if vulnerability is assigned a CVE ID

Future Plans: We are evaluating the possibility of launching a paid bug bounty program. Stay tuned for updates.

Scope

In Scope

  • dnslookup.pro (main website)
  • All subdomains under *.dnslookup.pro
  • Public API endpoints
  • Client-side applications and tools

Out of Scope

  • Third-party services (Cloudflare, Google Analytics, etc.)
  • Social engineering attacks against our staff
  • Physical attacks on infrastructure
  • Denial of Service (DoS/DDoS) attacks

Safe Harbor

We consider security research conducted in good faith to be:

  • Authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws
  • Exempt from restrictions in our Terms of Service
  • Lawful and not subject to legal action by DNSLookup.pro

Good Faith Research Means:

  • Make every effort to avoid privacy violations, data destruction, and service interruption
  • Only interact with accounts you own or have explicit permission to access
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Keep vulnerabilities confidential until we've addressed them
  • Do not access, modify, or delete other users' data

PGP Encryption

For sensitive vulnerability reports, please use our PGP public key: 

-----BEGIN PGP PUBLIC KEY BLOCK-----

[Your PGP Public Key Here]

Key ID: 0xABCDEF123456
Fingerprint: ABCD EFGH 1234 5678 90AB CDEF 1234 5678 90AB CDEF

-----END PGP PUBLIC KEY BLOCK-----

Note: Replace with actual PGP key. You can generate one at OpenPGP.org

Our Security Practices

Encryption

  • HTTPS everywhere (TLS 1.3)
  • HSTS with preloading
  • Encrypted data at rest
  • End-to-end encryption for sensitive data

Access Control

  • Multi-factor authentication (MFA)
  • Role-based access control (RBAC)
  • Least privilege principle
  • Regular access reviews

Infrastructure

  • DDoS protection (Cloudflare)
  • Web Application Firewall (WAF)
  • Regular security patching
  • Isolated environments

Monitoring

  • 24/7 security monitoring
  • Intrusion detection systems (IDS)
  • Audit logging and alerting
  • Regular security audits

Summary: We use HTTPS, HSTS, and regular security reviews. Report issues at [email protected]

Security Hall of Fame

We thank the following security researchers for responsibly disclosing vulnerabilities:

No entries yet. Be the first!

Researchers are listed with their permission only. If you prefer to remain anonymous, let us know.

Security Contact Information

  • Email: [email protected]
  • Response Time: 24-48 hours for initial acknowledgment
  • Encryption: PGP key available above for sensitive reports
  • Alternative Contact: [email protected] for abuse reports
Subscribe Our Newsletter

We may log anonymized request data for diagnostics. Read our Privacy Policy.

Company
Resources
Legal
Social
heart

© 2025 DNS Lookup. All rights reserved. Proudly Hosted on MonoVM VPS Hosting

Privacy Terms Cookies Security Contact

We use HTTPS, HSTS, and regular security reviews. Report issues at [email protected]

If you believe a tool is being misused, report it at [email protected]