🔒 Security at pastes.io

At pastes.io, we take security seriously and implement measures to protect user data and maintain platform integrity.

🛡️ Security Measures

  • 🔐 Cloudflare Protection: We use Cloudflare to mitigate DDoS attacks and secure our infrastructure.
  • 🗝️ Secure Data Handling: Pastes can be encrypted and password-protected for user privacy.
  • 📜 Expiring Pastes: Users can set expiration times for pastes, reducing the risk of outdated or unwanted data exposure.
  • 🛑 Abuse Prevention: We monitor for spam, phishing, and malware to maintain a safe environment.

🐞 Reporting Security Vulnerabilities

If you discover a security vulnerability on pastes.io, we encourage responsible disclosure.

📧 Report via Email: support@pastes.io

💡 Note: We are a small company and currently unable to offer monetary rewards for security reports. However, we greatly appreciate your help in keeping our platform secure!

📌 Scope

Our current scope includes:

  • *.pastes.io (all subdomains)
  • We also welcome reports for domains that may be associated with us but are not listed.

✅ In-Scope Vulnerabilities

We are particularly interested in reports related to:

  • 🚀 Remote Code Execution (RCE)
  • 🔓 Cross-site Scripting (XSS)
  • 🛡️ Cross-site Request Forgery (CSRF)
  • 📂 Server-Side Request Forgery (SSRF)
  • 📊 SQL Injection
  • 📄 XML External Entity (XXE) Attacks
  • 🔑 Access Control Issues (IDOR, Privilege Escalation, etc.)
  • 🛠️ Exposed Admin Panels without strong protection
  • 📂 Directory Traversal Issues
  • 🔍 Local File Disclosure (LFD)
  • 🔒 User Data Leaks (Sensitive Information Disclosure)
  • 🚨 Known vulnerabilities in unpatched third-party software

🚫 Out-of-Scope Issues

  • 🔍 Information leakage that cannot be used for direct attacks
  • 🔐 Missing security headers that do not lead to a direct vulnerability
  • 📉 SPF/DMARC issues in non-email domains
  • 📡 Social engineering & physical attacks
  • 📊 Reports from automated scanners/tools
  • 🌐 Distributed Denial of Service (DDoS) attacks
  • 🕵️‍♂️ Attacks requiring MITM or physical device access
  • 🛑 Login/logout/low-impact CSRF
  • 🔍 Content spoofing & missing cookie flags
  • ⚡ SSL/TLS best practices
  • 🔄 Clickjacking/UI redressing
  • 💻 Flash-based vulnerabilities
  • 📩 Spam, email/SMS flooding
  • ⏳ 0-day vulnerabilities less than 30/60/90 days after patch release
  • 🛠️ Third-party products outside of pastes.io control

🔐 Security is our priority. Thank you for helping us keep pastes.io safe!