Keeping our customers safe is a huge responsibility, and our highest priority. We pledge to deal with any security reports quickly, responsibly, and with the utmost care.
For Researchers: Reporting Security Issues
If you've discovered a security issue in Duo's product, services, or website, send your report directly to firstname.lastname@example.org — our PGP key is here. How we'll handle it:
- Within 24 hours, we'll acknowledge your report and let you know how to track its status.
- We'll determine how it affects our products, working closely with you to ensure we fully understand the issue.
- Once the issue is resolved, we'll post a security update along with thanks and credit for the discovery.
- We will not publicly disclose your report until our investigation is complete, and only once we've agreed on its resolution.
When sending your report, please include as much of the below information as possible:
- Type of issue (e.g. SQL injection, cross-site scripting, command execution)
- Affected component(s) and version(s)
- Proof-of-concept and/or steps to reproduce the issue
- Impact of the issue
- Any additional, pertinent information
For Customers: Our Response
After we receive a security report, we work swiftly and diligently to determine its scope, impact, and solution. Once we've developed a fix, or have identified a workaround, we will disseminate this information to affected customers, in accordance with our Support Policy.
Thank You For Working With Us
We've been on both sides of this as vendors and security researchers ourselves, and appreciate the talent and effort it takes to improve security. We will publicly acknowledge every researcher and company that goes out of their way to work with us to find, fix, and disclose security flaws.