PowerDNS consists of recursive, authoritative and dnsdist components and provides a open-source DNS solution with extended security capabilities such as parental control, malware filtering, automated attack mitigation, subscriber communications and long-term query logging. It is one of the backbone components to provide a fast and reliable internet experience for subscribers and IoT devices.
No technology is perfect, and PowerDNS believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our products, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Please note that our websites and infrastructures are in no way part of this program, and are explicitly out of scope.
We are interested in security issues in the following products:
When reporting a vulnerability in one of the aforementioned products, please check that it exists in currently supported versions.
Our documentation hub at https://doc.powerdns.com/ __contains background information about installation and operation of all relevant components. It's a valuable source of information for deployment, configuration, attack surface and research.
You can find pre-built packages of PowerDNS components at https://repo.powerdns.com/ __. Most functionality, testing and debugging requires direct access to a PowerDNS system, please set up such a system for your research. We expect that you're using up to date versions of our software and related services, hardened configurations as well as a set of strong credentials.
You can get access to our source-code at https://github.com/PowerDNS/pdns __, but please do not report any potential security issue to the public bug tracker.
Besides our respect and attribution, PowerDNS may provide rewards to eligible
qualifying vulnerabilities. Rewards include:
PowerDNS will determine at its discretion whether a reward should be granted
amount of the reward. In particular we may choose to pay higher rewards for severe
vulnerabilities or lower rewards for vulnerabilities that are considered less severe. This is not a
contest or competition.
While researching, we'd like to ask you to refrain from:
Thank you for helping keep PowerDNS and our users safe!
Contact us if you want more information.