Substack Vulnerability Disclosure Policy
We take the security of our systems seriously, and we value the security community. The disclosure of vulnerabilities helps us ensure the security and privacy of our users.
Guidelines
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
- Perform research only within the scope set out below.
- Use the identified communication channels to report vulnerability information to us.
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Substack until we’ve had 90 days to resolve the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
- Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue. Note that we don’t offer any monetary compensation at this time.
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).
- Not pursue or support any legal action related to your research.
In Scope
- substack.com
- reader.substack.com
- Substack's iOS app
Out of scope
Any services hosted by 3rd party providers and services are excluded from scope. Any web apps or surface areas meant for employees of Substack are also excluded from scope.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the ‘Scope’ section
- UI and UX bugs and spelling mistakes
- Network level Denial of Service (DoS/DDoS) vulnerabilities
Things we do not want to receive:
- Personally identifiable information (PII)
- Credit card holder data
Reporting a security vulnerability
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing [email protected]. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability.
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful).
- Your name/handle and a link for recognition in our Hall of Fame.
If you’d like to encrypt the information, please use our PGP key.
KeyID: 4ED9E010
Key Type: RSA
Key Size: 4096/4096
UserID: Substack Security <[email protected]>
Fingerprint: 0A22 F8A8 0456 2638 DD74 BA94 2D86 525E 4ED9 E010
Key Type: RSA
Key Size: 4096/4096
UserID: Substack Security <[email protected]>
Fingerprint: 0A22 F8A8 0456 2638 DD74 BA94 2D86 525E 4ED9 E010
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGJ+eQUBEACf8m0LBYAxLiz+fzisFtBw43e1Lll/UyFnl02a9Rx9hWtqu+wS aM0+xp5oEyqBJMiG//Gu09aAhP4W7hC0RFdyq0JrT+Lhbo+Z0+oYt4WawKo7mPeq S2T8O/83AcJ7gX7W7NHeW/iCQyTUN8hlFiDLq+HLOwPWa2bnGx5Vusl/oO7i4gUT q7f6LfFUzPwoOe4Mm9ZzWsZ2VnABhvLY94y+DKWebcpvPdOXkXKebhyhpXEfcaob e1T4Vi6Rm95DcJvGD0X6csIF56OaCx3ie6FGI9Wsc7C6w1xaO/NM/eRdYho/mf3f 22+BGC1ovLX4bRLKvFk3YDBNDpFRRbsvwKOBnGJodPTe874Ngd717RpuT6EDDQJJ km9cUg8avsNGblPck6XNKG2j4Oynl81MLodU53aviqZFaFMefE1Z9ID/wrn2GZt6 psuAjhsDcx4SNMlRLdAJayRZtElKUhkj00WUNbm5tst08Gu4livHoeHdzhLgX6Mg uxORd2CIuN1g2+IVRXh9hxXzn47FyeFfQgcIGTAcrHDqbhb+5YYnCnoWG6v/Isc2 qQSBjz+XwqiQLM6s17JM4PyIauN3GI8pmJv92C/TZZfPo7j4sW9agpdk6OVNLdWo Hzzi38mZd5O8f87Z2uq3FwqOYfZuIxAtD2+zr/tzKlInA2mYwbL+Cy5bcQARAQAB tCxTdWJzdGFjayBTZWN1cml0eSA8c2VjdXJpdHlAc3Vic3RhY2tpbmMuY29tPokC TgQTAQgAOBYhBAoi+KgEViY43XS6lC2GUl5O2eAQBQJifnkFAhsDBQsJCAcCBhUK CQgLAgQWAgMBAh4BAheAAAoJEC2GUl5O2eAQfDQP+wSrbC0ZYmU1eQCrn5xPGV61 /sl1hxIKzTWlYxrX0nc0VT6X+mnojZrYY3F29r29AnQ5+Pl6PAHH3PAAL5NxtPX/ mAJN1StYcDza7p4qyO/bUv/2GrQ9K3Ozbsaef0JRT56txjBA67whsIPmc/Zy5/Ll 00S1kVyJDeeOFjPOOuCLPvS5QL+BMw5fi9iwIySB7DfVpC7Ic6g5yX9u14eAylyV gHR/MRiscLLXnCmp+1w8j2Abih18IZqEqPJcIubPt8OXYnDnc4ptw3Zd6c8Fegfr 2t+4mzc3YVbsmWfQ7x4w/hTLVjVu3k1ICWM0f0KO0oKCuRYfmdzDB1NS9HjNoFfM mUAFO1ZA4kI/oRc7Ycbfu0Sqe6wnk3kwEzwYfl4IMkXXj29NRgF4IAO9GMg11G3O +CeH8jsYYIxDfVeJ5yjRZuQO0385iHaPxCuI7lMUkSgnE5KPZRD7BlBgDF0kjiGq D+fChobEtjaTx/23kUiEzMZrI+oT4O1YlNIKTLA26CTgG2lYub9CJaSgEukXXjvr fzyg21jY0zJZxnkXre157EXqN3af9dIcyXa9TgILwaTrEOGSdYlwU+yWjVBoKPnA XC+wJ1YaO1c/rlwPxKREmL0pCsVbxKLYVOeS9p1y24yZQz8OwWPdaIywelQNfWVS 77PvF22r3yPGeVcOigxfuQINBGJ+eQUBEAC02f0oVdWTUiSyH6/ZfpiFsyiXwQxx lqX7Wh3QHernTzGksUQMsIo+Yogt3bU9qcnrHXJlu9cvH9QC0I3rw8yUaxHIWPPF raH8sGHov6cx7DFzuFHpFIUJ000nofp5BKEy6e9Gs8XCQtdYoTkdCmOXXEzS2FGK MlDEWbBVWcormn9vJwgv7ygIKMQEqqOpblx7NztpP0OxULjSquRjllqLTmETf6zX 7E+K46ekkIm/VxInRY242vJHeK9Mh1BDmfB0M7odOX3m/Yf+u8IufBzh841ZCPfL aBfUfKCLAQcIfc1CGHQIzSewgStmCXDnsM7w00ri3k7cdqZQTCUGQevgT0MXBhpd Y1KSPa/wnsiHNhKuN23xZSCBZVWuyAYfsr5Wu3ok/vsJ084Luyd4VKkHYmUho1MO GaOVcUKF7ZGVIeHr/Iuvwby9NewEfM/0IkyHbgnBNgH2TflhSboJ78hVU8SWglpo AGHcmbW0lhnuupFTRrJ9eV3wS6BZMS21x/JgPkV/i38S/Z1bZbXhJaUEOc6BzuTx Jg8BBnYGWMSsNpt+0JKyLg6DNTqL3AjNXzO4Qj7VtHND/ddmJrcfnJuBOYO4WcU2 qg2tauN4ShWdXZ7wZdLfvUzBIXnUiiWINet6jmv5sD65SktKZLCjrp5PlIi/PD1K cQeDGWB+16eudwARAQABiQI2BBgBCAAgFiEECiL4qARWJjjddLqULYZSXk7Z4BAF AmJ+eQUCGwwACgkQLYZSXk7Z4BAgKw/+O4ccxwSMztnVhZj4jTFrAK4RcXUlagJ2 emJyYyJD/sODuaiqrsRbTOuVHiISQdRiPXpFhLmb956Cq4+WiP0AqPP3+Hrzh+gH K214QfeXrWe1EeMiNb8td3d4Ml83OE0G3pqnS8z94sQ7FQeOc+WdsO2CMeNkCMRA LlIsvsj92PAZ5wnrrRENdxbAupEVYNsdnQXQDSJ/49YIYqID9gsBJTBFE1SHD7QS Uu9vCukEshgu/JW0LyLFRaSMgVGtT0g01f1RawjqTG4jFLJmUdYBfr93WURgGODK y/iffVIZ4gawXGYcQZfFqJWukV+U5DJcXKKjOPyCd6ihwPbIrMFDT84FU33OaEsI RpHASjUcniJ9AIdjtulev4pD9sjNz8jLFkocpjqDsqUVZJxJMc3oLgEnuCLuMS/L hT948eMX98JC4w1s8dgQYYy2N8SqFpTqQRiqcEIRt2hFcwtilWN+cky7eCd1yDJb ximYjLCraTA8627nojoDVH//WoOZXAdI9MXhTY4m22dYlqqhf5Mt20vaIM7fGhXl og9N0ZXmrMhUsVLqGDxz/6nplAlk1xCOcDj2N18y4Lm/DE54hW3Iar+QtpQ6lk66 s7fXI6C4EZBtCIycgEMo1lrUAGSUswxVCjrwiY1faZ3m1hD1FO2A+yzvFg3s2bwv XHkqnaHf8kY= =0q1C -----END PGP PUBLIC KEY BLOCK-----
