You appear to be offline. Some site functionality may not work.
Sign Up

Report a Security Issue

Researching and reporting potential security vulnerabilities in the Fastly services

Fastly cares deeply about the security of both our network and our customers, and actively supports the larger security community. Fastly is committed to independent security research and responsible disclosure.

The following guidelines apply to researching and reporting potential security vulnerabilities in our network.

Security evaluations must:

  • Be performed only on the following *.fastly.com domains: https://www.fastly.com, https://legacy-app.fastly.com, https://manage.fastly.com, and https://docs.fastly.com
  • Not be performed on any other Fastly domains, including *.fastly.net
  • Not be performed on any non-Fastly domain
  • Not compromise the availability of Fastly’s services
  • Not compromise the security or privacy of Fastly’s customers or the data on Fastly’s network
  • Use non-destructive and non-disruptive testing
  • Not involve social engineering or evaluation of physical security controls

Findings of security evaluations must be reported by creating a support ticket with the subject, "Potential Security Vulnerability." The support ticket must provide as much detail as is known, including:

  • Valid contact information for the reporter
  • A description of the location and nature of the vulnerability
  • Detailed steps to reproduce the vulnerability
  • A short description of the vulnerability’s potential security impact

In addition:

  • Screenshots or videos are always helpful
  • Messages can optionally be encrypted to our PGP public key

Fastly response to reports of security evaluations

Fastly will:

  • Endeavor to acknowledge initial security evaluation reports within two business days
  • Prioritize the reproduction and then confirmation of any reported vulnerability
  • For any confirmed vulnerability, promptly identify a reasonable timeline for patching and public disclosure
  • Send a Fastly t-shirt to the initial reporter of a confirmed and patched vulnerability as a thank you for their hard work (only one shirt per reporter, but we welcome ongoing submissions)
  • Not pursue legal action against any reporter who complies with all of the guidelines for performing and reporting security evaluations, and who also cooperates fully with Fastly’s reasonable requests for assistance in reproducing a vulnerability

Please note that security tests or research which interfere with or disrupt the integrity or performance of the Services violate our acceptable use policy. You must respond immediately to any communications from Fastly regarding your work to help ensure your activities do not adversely affect other customers or the Fastly network.