Fastly cares deeply about the security of both our network and our customers, and actively supports the larger security community. Fastly is committed to independent security research and responsible disclosure.
The following guidelines apply to researching and reporting potential security vulnerabilities in our network.
Security evaluations must:
Not be performed on any other Fastly domains, including *.fastly.net
Not be performed on any non-Fastly domain
Not compromise the availability of Fastly’s services
Not compromise the security or privacy of Fastly’s customers or the data on Fastly’s network
Use non-destructive and non-disruptive testing
Not involve social engineering or evaluation of physical security controls
Findings of security evaluations must be reported by creating a submission to the following form. The submission must provide as much detail as is known, including:
Valid contact information for the reporter
A description of the location and nature of the vulnerability
Detailed steps to reproduce the vulnerability
A short description of the vulnerability’s potential security impact
Screenshots or videos are always helpful
Messages can optionally be encrypted to our PGP public key
Endeavor to acknowledge initial security evaluation reports within two business days
Prioritize the reproduction and then confirmation of any reported vulnerability
For any confirmed vulnerability, promptly identify a reasonable timeline for patching and public disclosure
Send a Fastly t-shirt to the initial reporter of a confirmed and patched vulnerability as a thank you for their hard work (only one shirt per reporter, but we welcome ongoing submissions)
Not pursue legal action against any reporter who complies with all of the guidelines for performing and reporting security evaluations, and who also cooperates fully with Fastly’s reasonable requests for assistance in reproducing a vulnerability
Please note that security tests or research which interfere with or disrupt the integrity or performance of the Services violate our acceptable use policy. You must respond immediately to any communications from Fastly regarding your work to help ensure your activities do not adversely affect other customers or the Fastly network.