fyr.io

Vulnerability Reports

From a defense perspective, Information Security is tough to get right. Even when everything has been done correctly, vulnerabilities in software and hardware exist that you either have no knowledge of, or are unable to resolve for some reason.

In theory (and so far, in practice) nothing is ever 100% secure. A defender has limited time to find and fix every issue, whereas an attacker has unlimited time to find and exploit just one.

If I have found an issue with a system you are responsible for...

I have not done so maliciously and I don't want anything for it (unless you participate in or otherwise offer a bug bounty of course!) with one exception: for the problem to be resolved. I may also like to write about it as per responsible disclosure, but if you do not wish for this to happen please tell me. I will always attempt to make contact first, several times, before publishing anything. Normally this will be at a minimum 90 days after first contact, though if the issue is judged to be very severe and I don’t hear anything back from you this 90 day delay may get reduced. I’ll let you know, though.

If you have found an issue on this site...

Want to dig about? Or have you happened across something interesting? The only rules are "don't leak/share personal data" (including information about the issue) and “try to not take anything offline”, otherwise anything on the fyr.io domain (including any and all subdomains, except for the blackbox.fyr.io subdomain) is open. Note that this site is hosted on a shared VPS so try to not be too loud with any bruteforcing or automated scans. Ratelimiting is appreciated 🙂

Whether it's full-blown RCE, minor information disclosure or something that I just haven't bothered to update, feel free to get in touch and let me know! I can’t pay, but if you’re the first person to report the issue (as of 2022-09-15) I’ll add your name/alias/handle/etc along with any suitable links (social media profiles, personal sites, etc) to the Hall of Fame below. It's not much, but it's something 🙂

Email me at this domain, but put "security" before the @ symbol - (Please note: It can take me a while to get to these issues, sorry!)

Hall of Fame

These fine people have reported a valid, unfixed-at-the-time-of-report bug, vulnerability, misconfiguration or other technical issue on this site:

Old wordpress site

2023
2022
2021

We can't fix every security issue out there, but if we can fix just one it makes everyone that little bit safer.