Responsible Disclosure of Security Vulnerabilities

If you've discovered a security concern, please email us at Please be succinct: the mailbox is attended by security engineers and a short proof-of-concept link is more valuable than a video explaining the consequences of an XSS bug.

Please note, we do not offer financial compensation for your report.

Rules for investigating vulnerabilities

  • When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Doorkeeper.
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your Doorkeeper account and ban your IP address.
  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Don’t publicly disclose any vulnerabilities you find before we have resolved them.

What does not qualify for listing?

  • Bugs that have already been submitted by another user, that we are already aware of, or that have been classified as ineligible.
  • Insecure cookie settings for non-sensitive cookies.
  • Scripting or other automation and brute forcing of intended functionality.
  • Our support sites, and
  • Attacks that require access to the victims browser (e.g. by using the same computer as the victim)
  • Disclosure of public information and information that does not present significant risk.
  • Bugs in content/services that are not owned/operated by Doorkeeper.
  • Vulnerabilities that Doorkeeper determines to be an accepted risk.

Thanks for working with us!

Thank you for helping keep Doorkeeper secure. We really appreciate your help.

We especially appreciate the help from the following individuals who have worked with us to resolve flaws securely.

If you're someone who has helped us in the past and we've neglected to list you, we apologize. Please let us know.