🔒 Security at Pastes.io
At Pastes.io, we take security seriously and implement measures to protect user data and maintain platform integrity.
🛡️ Security Measures
- 🔐 Cloudflare Protection: We use Cloudflare to mitigate DDoS attacks and secure our infrastructure.
- 🗝️ Secure Data Handling: Pastes can be encrypted and password-protected for user privacy.
- 📜 Expiring Pastes: Users can set expiration times for pastes, reducing the risk of outdated or unwanted data exposure.
- 🛑 Abuse Prevention: We monitor for spam, phishing, and malware to maintain a safe environment.
🐞 Reporting Security Vulnerabilities
If you discover a security vulnerability on Pastes.io, we encourage responsible disclosure.
📧 Report via Email: [email protected]
🔍 Report via HackerOne: https://hackerone.com/pastesio
💡 Note: We are a small company and currently unable to offer monetary rewards for security reports. However, we greatly appreciate your help in keeping our platform secure!
📌 Scope
Our current scope includes:
- *.pastes.io (all subdomains)
- We also welcome reports for domains that may be associated with us but are not listed.
✅ In-Scope Vulnerabilities
We are particularly interested in reports related to:
- 🚀 Remote Code Execution (RCE)
- 🔓 Cross-site Scripting (XSS)
- 🛡️ Cross-site Request Forgery (CSRF)
- 📂 Server-Side Request Forgery (SSRF)
- 📊 SQL Injection
- 📄 XML External Entity (XXE) Attacks
- 🔑 Access Control Issues (IDOR, Privilege Escalation, etc.)
- 🛠️ Exposed Admin Panels without strong protection
- 📂 Directory Traversal Issues
- 🔍 Local File Disclosure (LFD)
- 🔒 User Data Leaks (Sensitive Information Disclosure)
- 🚨 Known vulnerabilities in unpatched third-party software
🚫 Out-of-Scope Issues
- 🔍 Information leakage that cannot be used for direct attacks
- 🔐 Missing security headers that do not lead to a direct vulnerability
- 📉 SPF/DMARC issues in non-email domains
- 📡 Social engineering & physical attacks
- 📊 Reports from automated scanners/tools
- 🌐 Distributed Denial of Service (DDoS) attacks
- 🕵️♂️ Attacks requiring MITM or physical device access
- 🛑 Login/logout/low-impact CSRF
- 🔍 Content spoofing & missing cookie flags
- ⚡ SSL/TLS best practices
- 🔄 Clickjacking/UI redressing
- 💻 Flash-based vulnerabilities
- 📩 Spam, email/SMS flooding
- ⏳ 0-day vulnerabilities less than 30/60/90 days after patch release
- 🛠️ Third-party products outside of Pastes.io control
🔐 Security is our priority. Thank you for helping us keep Pastes.io safe!