Reporting a security vulnerability
Protecting the clients of Anchorage Digital is our top priority, and we welcome the contributions of independent security professionals to assist us in our goal. If you believe that you have found a security vulnerability, please report it via email to security@anchorage.com.
Reports may be submitted anonymously. We may not respond to every report. For all other inquiries unrelated to security vulnerabilities, please contact us via our contact form.
For particularly sensitive information, please make initial contact through the method above, and we will work with you to establish a secure channel of communication. By submitting a vulnerability, you acknowledge that you have no expectation of payment related to your submission.
What is a Security Vulnerability?
A security vulnerability is a defect in a system, protocol, or service which can be exploited to cause unintended negative effects to the users of that system. These effects may include disclosure of information, alteration or destruction of data, or unavailability of the service itself. For examples of vulnerabilities, please refer to resources such as the OWASP Top 10.
Responsible Disclosure
Anchorage Digital is committed to protecting our clients. As such, we are committed to the principles of coordinated disclosure. If you intend to disclose your findings publicly, we ask that you coordinate with us in advance, so that we may remediate any issues prior to their public release.
How to Report
In order to help us triage and investigate submissions, we recommend that your reports to security@anchorage.com contain:
- The location of the vulnerability (URI, IP address, application)
- A summary of the vulnerability and perceived impact
- A detailed description of the steps needed to reproduce or exhibit the vulnerability
- How the vulnerability was identified
Proof of concept scripts or screenshots are helpful, but not required.