Responsible Disclosure

Security is a top priority for us at Primer and we work hard to make sure our systems are secure, but we’re human and might miss something. To help keep our users safe, we want to collaborate with external Security Researchers and Bug Hunters.

Here’s a guideline of how you can report vulnerabilities, and what you can expect from us if you do.

All reports can be sent to security@primer.io. If you would like to encrypt your mail (we suggest you do if it contains personal information), please find our PGP key at the bottom of this page.

Do’s

✅ Send reports even if you’re not certain about the vulnerability. Better safe than sorry!

✅ Make sure the report is in well-written English

✅ Include any evidence or proof-of-concepts that might help us reproduce and diagnose the vulnerability faster

✅ Minimise harm to production systems, and tell us early! If you notice degradation to the performance of the system you’re testing, please pause and let us know!

Don’ts

❌ Don’t attempt to Social Engineer Primer employees or our users

❌ Don’t exploit a vulnerability to gain access to data or modify systems in ways that might affect our users

❌ Don’t post anything on blogs or social media until we’ve been able to triage and repair the vulnerability. Our goal is to minimize any harm to our users, but we’re happy for you to make your work public—only after the fact and once we’ve given you the go-ahead.

❌ Don’t attempt attacks or submit reports for vulnerabilities within the following categories:

  • Social engineering against Primer employees or users

  • Missing security best practices such as HSTS, cookie Secure/HTTPOnly, DNSSEC, or insecure SSL/TLS configurations (unless a realistic attack can be demonstrated)

  • Public knowledge (non-zeroday) CVEs

  • Intentional open redirects (e.g. standard OAuth flows)

  • Missing CAPTCHA, weak validation (including password policies), or CSRF on forms that allow anonymous submission

  • Tabnapping, clickjacking, self-XSS (unless a realistic attack can be demonstrated) or attacks that require victims to take steps to become vulnerable

Our Part

We take submissions seriously, and we’ll let you know when we: begin investigation of your submission, reach a conclusion, and deploy fixes.

Here are the timelines you can expect:

  • Initial acknowledgement and response: 3 business days

  • Confirmation (and expected date of fix deployment): 5 business days

In return for following these guidelines, we offer the following:

✅ Safe harbour: we will not take legal or punitive action against you, including those from accidental damage to our systems during testing.

✅ Privacy and Confidentiality: we don’t take this lightly, and will never disclose or publicise any information without your explicit consent

✅ Recognition via the Hall-of-Fame hosted at https://primer.io/security/famous.txt

Thanks for keeping an eye out. Happy hunting!

Key ID: 3BFC42E548A5A06657452A42BA0C6B013C259DC9

Public Key:

1-----BEGIN PGP PUBLIC KEY BLOCK-----
2mQINBGPFOsgBEACnUn508dpnNFu1YB0ZDBxpkPa4ptP+WdHZj4PtTbyqX3ZkVwS5
3EgzOXtahibhcUOkzYeNV9kea/ObF2dHjwbOJHPHfa8GFK+REI1ZfmOfVobtV1pUG
4UWug81uYGM8BirJ4mv8FNKexmWrQt8EyNsCtwNjmGP8kZ6oU3d3raabnMz7ocBwG
5FzJu2eQd6JeCXssfH1op4d4qtPxVq04J8oH6b5ROW2zEkqsodN9L1USWKDYPMtdi
6N1SR6wAnCxtnaccgApWLtIOr0+kGSYFvcvd4ibViiA0FMwRzDKEMaJsluztJoxhm
7I5GQ2X9lKsShRa+/lu57Uv4xVKnTgxTtdR8zdDvkLG2FC+PwfEAJVQLws3fsDE+p
8+6eFvLcmC5aMVnq1KX7jFgkO1b9o7ogbPtFdAt+C1bVdHnE5ObJqZT2idsm7+Awo
9vZaslAqDZDvbb7LLqUTmFpSZhmZ+f9J25I5tw9YCxqQyofDJfEf8L50jRQZvwGsO
10mZiEG96SgS3HUgFFTmcXYXLxb9zy4sH+KjGB/RLCOqi8mUr9fjgGYZjdrivwNG0B
11VjUNMg9/008T8RhVpd7FcQlHZoA88DVQpF2DCtN0/s8hzSV4wdR0q7I3MmiCOd9k
12tWyhNAoMdcSxc38VhCfvzVWpeDh3uxRkXJZZuB6LPd65xiyKhHoua2AsxwARAQAB
13tB1TZWN1cml0eSA8c2VjdXJpdHlAcHJpbWVyLmlvPokCTgQTAQoAOBYhBMFe9eyT
14UP6aEyq7q82so+CgDCqUBQJjxTrIAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
15AAoJEM2so+CgDCqU2TAP/2ws8Ew+s9IUGE2AMx7drvUn3wK+x1ws+zkEaq5TDHNE
16TqiukfSkzr2+tYS846jk16bBY+Eh+GuxnTQz29glUZUybMgeCGbPW17ZnN5OL6mS
17UDFKKbWTuD21KvL2kFIlQP95Zh+kk/Y0PKsD6i6KcKqUupIeKcaGgkoJpWM+RdCw
18uDpMkf6NYnbxnxvWi6HbwkQDbAeuA20f2N5WTzPqLZnx4XPzsNBxWeJDVZ6cI8AO
19T+9Ghbc92N8Iv0zcu1U/L0NzJ5Kme5EuL2IWBWDe31ynmINbImrbpGj/fnCPqH1T
20iywBw/edtlNo4xSTAKUHS18GTk8cWO3aJWsZ6x9BihEH+c3KnhmqGAsPWe/nERGo
21M2qWp1sXiWw+epImOQuRwg7KyxxlhT+s7ECh2/bWynfwYnMJvkFuBRb5/t/tkHOS
22YNkdAGELCPoOCJa2AuF5vAHter8ZbRsZnDJK3fQr4kVau16t6TieCNtl+e/ml26G
23lVjXheAVFMsLI4PpbBPgP05eLbo10WH5Vcj9N0MvDn8Oe1w66pMYfF3tFD5OQea6
24jdfUEInyThhoC+B5CQYyqfZQy0tlIxtXoBteIpBZV0nrLPTKCdqr1eimlSpTvlh/
25exZnrkgZLOvEk4WEtDrQE/aTRMHAonWgJR0CrYgLZdPl4LVtN6wlZTNH4TLYnlB7
26uQINBGPFOsgBEADB32iWqOH19o2+WLF13NGh1hRa1GP6CfKxVBYfvp7OE5tbOJEb
27Mxet1syw3dvpfL6xW8pru/xlIIupoJFF2LqZabWyWAkGqPwr2NFOTpoIQjLUPT8y
28Ws3lOyJhRHeOTiiXLav0TJkBlMZJzltLKtNHPTEBCP/XQfvpsnOJCkDoBuBPKu4h
29eQli/3X86c4XbJ1VjQoEaEViswVpUjavw5h8wi42yOag7fyzWjmwWgLiV1BTlfZ7
30nn3OiL6p7bmYUnzmHgKxR+oOa/+drG/i3gjMjZngJnJdj9svyEoxYv2+MdO59Stg
31aP9ymc44PtfVKYO9fP20YbgDpxtsJjY3ofJQKScbC/eyeLNYurjT5hhBMzAGhVPq
32XeMolvRj+/b9OkDD/Dq3vlNGC8WE6PKQO+vH3wmEZzhWpG1x3PsZM7OBqeb2BQwf
33HhAtVT8vj1OueF+QFQ/kJxt34ow+W0TUsGdvrPeTj+UuKsaspfSK+AigI5IQRRHR
34huO0FCvZ9us39YLSMmo8BHo/oGCLStG9ny2QsIMy+wE+1zkbRS3ehOdSlvuCW1/T
35+qOvSf5AAWw6ly4ozRKOXvSqckvICk0ep1XK8WtVDzGW/OSb4vwSrZC1YQVJ/WRY
36lAHnvyij8E8WeC+ClwrNJC6KnQEbfYgfVNku3oS64yJ6+JRogPolQHcfwwARAQAB
37iQI2BBgBCgAgFiEEwV717JNQ/poTKrurzayj4KAMKpQFAmPFOsgCGwwACgkQzayj
384KAMKpQueQ//UXeVnyR5AKkofdFBAOMaHAS0GlR2ZXlxotMPT72Lxoeuabq4UwYA
39dIjAvvoyQxFeDcO0TKTe7qFF3yM3L17qRIJfFhIdJ4OqrvDVYIjM5EapdXZ0Flhu
40UkT5I9Xv2oqb72GHNeivlfKCI8HTSbqmugPFju7c2cEPgjM7lVNSykOJw0SqrVh2
41HHbVC9sqUeJtgPOKItbzNh8sDaLl41dsyx9zGFZTZ1OX0e5dpOo0wsB0kjUrwhTg
4269kFFqNeHebjBFT1LsJo69l+h/XQ+GBqm1yGRAGGu3DuzKUQtjmukLDyJA3n9l87
43xQGZfjloLfz7jVZpB6c2wDrdmiXTEjT6eCwiZEAfioynVL9D45mCsa+KiD97NhY0
44Bybg6JIM41fzD6o23FLtA8uvmne4tCb9TwDBoxpuvmVTNlPlanPKA48cQhBpJ/vz
45U7xZBHC5t9cwTpay2vNllv+TxkcOtA2bOrHXaDhjx8fgkkyMU6YnnwAD1sUEsey5
46FjR6T+E9v4+m/gC5ue9yeqgTacRIqLKLZ+ij0ET70qavy1Ri65lbyVaJJRV9R/0Z
47qwei6curuqxgpdciZHJsb1dY9Hzr98Ia1OkeXYTM8hKed9FfdZufdzPtLq3d9/op
48595jfkS1Ew7wzRJ3U+Ft20oRgoFC2MPnbT9UC0FpPU/G6Jk9OzNwewM=
49=jmrb
50-----END PGP PUBLIC KEY BLOCK-----

© Primer 2022