Report a Security Issue

Researching and reporting potential security vulnerabilities in the Fastly services

Fastly cares deeply about the security of both our network and our customers, and actively supports the larger security community. Fastly is committed to independent security research and responsible disclosure.

The following guidelines apply to researching and reporting potential security vulnerabilities in our network.

Security evaluations must:

• Be performed only on the following *.fastly.com domains: https://www.fastly.com, https://manage.fastly.com, https://docs.fastly.com

• Not be performed on any other Fastly domains, including *.fastly.net

• Not be performed on any non-Fastly domain

• Not compromise the availability of Fastly’s services

• Not compromise the security or privacy of Fastly’s customers or the data on Fastly’s network

• Use non-destructive and non-disruptive testing

• Not involve social engineering or evaluation of physical security controls

Findings of security evaluations must be reported by creating a submission to the following form. The submission must provide as much detail as is known, including:

• Valid contact information for the reporter

• A description of the location and nature of the vulnerability

• Detailed steps to reproduce the vulnerability

• A short description of the vulnerability’s potential security impact

In addition:

• Screenshots or videos are always helpful

• Messages can optionally be encrypted to our PGP public key 

Submitting security issues through the embedded HackerOne form is the fastest way to get issues reviewed and triaged. If you are unable to submit issues using this form, please send your report via email to security@fastly.com with a subject line [Vulnerability Report] and a meaningful report title.

Fastly response to reports of security evaluation

Fastly will:

• Endeavor to acknowledge initial security evaluation reports within two business days

• Prioritize the reproduction and then confirmation of any reported vulnerability

• For any confirmed vulnerability, promptly identify a reasonable timeline for patching and public disclosure

• Send a Fastly t-shirt to the initial reporter of a confirmed and patched vulnerability as a thank you for their hard work (only one shirt per reporter, but we welcome ongoing submissions)

• Not pursue legal action against any reporter who complies with all of the guidelines for performing and reporting security evaluations, and who also cooperates fully with Fastly’s reasonable requests for assistance in reproducing a vulnerability

Please note that security tests or research which interfere with or disrupt the integrity or performance of the Services violate our acceptable use policy. You must respond immediately to any communications from Fastly regarding your work to help ensure your activities do not adversely affect other customers or the Fastly network.