No technology is perfect, and Keybase believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Bounty Program

To show our appreciation of responsible security researchers, Keybase offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

The Keybase API is documented at keybase.io/docs/api/1.0.

Keybase code is located at github.com/keybase.

Non-Qualifying Vulnerabilities

Depending on their impact, not all reported issues may qualify for a monetary reward.

Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect Keybase users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

• Reports from automated tools or scans
• Attacks requiring physical access to a user's device
• Password and account recovery policies, such as reset link expiration or password complexity
• Missing security headers which do not lead directly to a vulnerability
• Clickjacking on static websites
• Content spoofing / text injection
• Denial of service attacks caused only by a large volume of requests
• Use of a known-vulnerable library (without evidence of exploitability)
• Issues related to software or protocols not under Keybase control
• Reports of spam
• Vulnerabilities affecting users of outdated or unpatched browsers and platforms
• Social engineering of staff or contractors
• Any physical attempts against Keybase property or data centers
• Concerns about DKIM/DMARC/DNSSEC and SPF records.
• Reports of server crashes. Yes, sometimes our server crashes. Yes, there are usually stack frames involved. Yes, there are pathnames in the stacktraces. We are not concerned, though we are happy to fix the crasher if you'd like to help out.
• Rate-limiting brute-force attacks against login.
• Low-impact CSRF attacks

Code Of Conduct

If you want to help us out, we greatly appreciate it. Be advised that for the purposes of the engagement, you are working for us. When someone works for a company, that company usually compensates the person as a combination of: (1) how much they contribute to the company's products; and (2) how pleasant they are to work with. If you choose to act like a 5-year-old, it's within our rights to compensate you like one. In practice, what this means is: (a) no nagging; (b) no repeatedly asking us for updates; (c) no whining. Please be pleasant to work with, and we'll be pleasant in return.

Thank you for helping keep Keybase and our users safe!