Security
Responsible Disclosure & Security Practices
Found a security vulnerability?
security@dnslookup.proWe respond to security reports within 24-48 hours
Responsible Disclosure Policy
We take security seriously and appreciate the efforts of security researchers who help us maintain a secure platform. We are committed to working with the security community to verify and respond to legitimate vulnerability reports.
How to Report a Vulnerability
Primary Contact:
Email: security@dnslookup.pro
Please use PGP encryption for sensitive reports (key below)
What to Include in Your Report
- Description: Clear description of the vulnerability
- Impact: Potential impact and severity assessment
- Steps to Reproduce: Detailed steps to reproduce the issue
- Proof of Concept: PoC code or screenshots (if applicable)
- Affected Components: URLs, endpoints, or features affected
- Your Contact Info: Email and name for acknowledgment
- CVE ID: If already assigned
Our Commitment to Researchers
Prompt Response
Initial acknowledgment within 24-48 hours
No Legal Action
We will not pursue legal action for good faith research
Public Recognition
Credit in our security hall of fame (with permission)
Transparent Communication
Regular updates on remediation progress
Response Timeline
Initial Acknowledgment
We confirm receipt of your report and assign a tracking ID
Validation & Triage
We validate the vulnerability and assess severity (CVSS score)
Remediation
We develop and deploy a fix (timeline depends on severity)
Disclosure
Coordinated disclosure after patch deployment (90-day default)
Note: Critical vulnerabilities receive priority treatment with faster response times.
Recognition & Rewards
While we don't currently offer a formal bug bounty program with monetary rewards, we deeply appreciate security researchers' contributions.
What We Offer
- Public Recognition: Listed in our Security Hall of Fame (with your permission)
- Swag: DNSLookup.pro merchandise for significant findings
- Professional Reference: LinkedIn endorsement or reference letter
- CVE Credit: Attribution in CVE if vulnerability is assigned a CVE ID
Future Plans: We are evaluating the possibility of launching a paid bug bounty program. Stay tuned for updates.
Scope
In Scope
- dnslookup.pro (main website)
- All subdomains under *.dnslookup.pro
- Public API endpoints
- Client-side applications and tools
Out of Scope
- Third-party services (Cloudflare, Google Analytics, etc.)
- Social engineering attacks against our staff
- Physical attacks on infrastructure
- Denial of Service (DoS/DDoS) attacks
Safe Harbor
We consider security research conducted in good faith to be:
- Authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws
- Exempt from restrictions in our Terms of Service
- Lawful and not subject to legal action by DNSLookup.pro
Good Faith Research Means:
- Make every effort to avoid privacy violations, data destruction, and service interruption
- Only interact with accounts you own or have explicit permission to access
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Keep vulnerabilities confidential until we've addressed them
- Do not access, modify, or delete other users' data
PGP Encryption
For sensitive vulnerability reports, please use our PGP public key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[Your PGP Public Key Here]
Key ID: 0xABCDEF123456
Fingerprint: ABCD EFGH 1234 5678 90AB CDEF 1234 5678 90AB CDEF
-----END PGP PUBLIC KEY BLOCK-----
Note: Replace with actual PGP key. You can generate one at OpenPGP.org
Our Security Practices
Encryption
- HTTPS everywhere (TLS 1.3)
- HSTS with preloading
- Encrypted data at rest
- End-to-end encryption for sensitive data
Access Control
- Multi-factor authentication (MFA)
- Role-based access control (RBAC)
- Least privilege principle
- Regular access reviews
Infrastructure
- DDoS protection (Cloudflare)
- Web Application Firewall (WAF)
- Regular security patching
- Isolated environments
Monitoring
- 24/7 security monitoring
- Intrusion detection systems (IDS)
- Audit logging and alerting
- Regular security audits
Summary: We use HTTPS, HSTS, and regular security reviews. Report issues at security@dnslookup.pro
Security Hall of Fame
We thank the following security researchers for responsibly disclosing vulnerabilities:
No entries yet. Be the first!
Researchers are listed with their permission only. If you prefer to remain anonymous, let us know.
Security Contact Information
- Email: security@dnslookup.pro
- Response Time: 24-48 hours for initial acknowledgment
- Encryption: PGP key available above for sensitive reports
- Alternative Contact: abuse@dnslookup.pro for abuse reports