Responsible Disclosure

How to report an issue

Due to limitations of our team size, we are temporarily pausing new reports.

What we expect from you

• Do not execute a Denial of Service (DoS) attack.
• Do not run any automated tools against our servers.
• Do not access or modify data that does not belong to you.
• Do not publicly share the vulnerability details.

What you can expect from us

• We will perform our own risk assessment for every reported vulnerability.
• If your report is not eligible, we will let you know.
• If your report is valid, we will prioritize the issue and inform once it's fixed.
• We will let you decide whether you want to be publicly acknowledged or not.

In scope

• https://resend.com
• https://api.resend.com

Out of scope

• Automated scanning
• Social engineering
• Password brute force
• Clickjacking on pages with no sensitive actions
• Missing security headers (unless you can prove exploitability)
• Security issues, only reproducible under highly unlikely conditions (using outdated or exotic web browsers, operating systems, or insecure internet connections)

Bounty

We will offer a reward that can range from being mentioned in the Hall of Fame to receiving a monetary amount, depending on the severity of the security issue and the quality of your report.

Please note, that the reward is contingent upon the security issue being both serious and previously unidentified by Resend.