jsDelivr is used by thousands of websites around the world and they all rely on malware-free and reliable file delivery.
We take the security of our CDN very seriously and want to ensure our service is bulletproof.

Scope

Except from static file delivery we also have a dynamic /g/ functionality which can combine on the fly multiple files and output them to the user. Documentation __

Tests on /g/ itself can be done on the server http://staging.jsdelivr.net/ __.
(Note: the root domain redirects to www.jsdelivr.com __which is out of scope. You need to provide a path to test it)
It is not used in production but it is clone of the actual server and can be used for penetration tests.

HTTPS or other vulnerabilities can be tested on cdn.jsdelivr.net as long as they don't pose a real threat to live users.

We expect vulnerability reports for any server or service owned or used by jsDelivr, including DNS, CDN providers, load balancing algorithm, VPS, installed software and anything else that can be used in a harmful way.

Our website www.jsdelivr.com __is out of scope for these tests as it does not contain any user information and it is completely isolated from the CDN infrastructure.