Introduction to PowerDNS and program rules

PowerDNS consists of recursive, authoritative and dnsdist components and provides a open-source DNS solution with extended security capabilities such as parental control, malware filtering, automated attack mitigation, subscriber communications and long-term query logging. It is one of the backbone components to provide a fast and reliable internet experience for subscribers and IoT devices.

No technology is perfect, and PowerDNS believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Scope

Please note that our websites and infrastructures are in no way part of this program, and are explicitly out of scope.

We are interested in security issues in the following products:

• PowerDNS Authoritative Server
• PowerDNS Recursive Server
• dnsdist

When reporting a vulnerability in one of the aforementioned products, please check that it exists in currently supported versions.

How to research

Documentation

Our documentation hub at https://doc.powerdns.com/ __contains background information about installation and operation of all relevant components. It's a valuable source of information for deployment, configuration, attack surface and research.

Software packages

You can find pre-built packages of PowerDNS components at https://repo.powerdns.com/ __. Most functionality, testing and debugging requires direct access to a PowerDNS system, please set up such a system for your research. We expect that you're using up to date versions of our software and related services, hardened configurations as well as a set of strong credentials.

Source-code

You can get access to our source-code at https://github.com/PowerDNS/pdns __, but please do not report any potential security issue to the public bug tracker.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Rewards

Besides our respect and attribution, PowerDNS may provide rewards to eligible reporters of
qualifying vulnerabilities. Rewards include:

• PowerDNS-Branded Clothing (T-Shirts, Polo Shirts, Hoodies).
• Minimum reward of $100 for vulnerabilities we consider to be serious but of low-impact, up to a maximum of $5000 for the most severe vulnerabilities.

PowerDNS will determine at its discretion whether a reward should be granted and the
amount of the reward. In particular we may choose to pay higher rewards for severe
vulnerabilities or lower rewards for vulnerabilities that are considered less severe. This is not a
contest or competition.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Legacy and unsupported versions of PowerDNS
• Social engineering (including phishing) of PowerDNS staff or contractors
• Any physical attempts against PowerDNS property or data centers
• Purposely weakening the default configuration of our components
• Vulnerabilities of third-party software which is not shipped by PowerDNS
• Editing our public wiki on GitHub. Yes, we know it's a public wiki that any GitHub user can edit.

Thank you for helping keep PowerDNS and our users safe!