We take security seriously. If you discover a security vulnerability in the ApertoDNS Protocol specification or reference implementation, please report it responsibly.

• Email: security@apertodns.com
• GitHub: Security Advisories
• Security.txt: https://www.apertodns.com/.well-known/security.txt

For sensitive reports, please encrypt your message using our PGP key:

• Key: https://www.apertodns.com/.well-known/pgp-key.txt
• Keyserver: keys.openpgp.org
• Fingerprint: A65E 8CE4 5488 EEB9 5795 7B8E F7DB 6A1B 1CAA B9C0

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact assessment
4. Suggested fix (if any)

While we don't have a formal bug bounty program, we recognize security researchers:

• Credit in release notes and security advisories
• Hall of Fame listing on our website
• Swag and merchandise for significant findings

• TLS 1.2 minimum required
• TLS 1.3 recommended
• Valid, publicly-trusted certificates
• HSTS enabled with minimum 1-year max-age
• Certificate Transparency required

• Tokens must be cryptographically random (minimum 192 bits entropy)
• Token storage uses bcrypt (cost 12+) or Argon2id
• Basic Auth only for legacy DynDNS2 endpoint
• Bearer tokens for all modern endpoints

{provider}_{environment}_{random}

- provider: Provider identifier (lowercase, 3-20 chars, alphanumeric + hyphens)
- environment: "live" or "test"
- random: 32 chars base64url (192 bits)

Examples:
- apertodns_live_7Hqj3kL9mNpR2sT5vWxY8zA1bC4dE6fG (ApertoDNS)
- desec_live_xK9mNpR2sT5vWxY8zA1bC4dE6fG7Hqj3 (deSEC)
- duckdns_test_zA1bC4dE6fG7Hqj3kL9mNpR2sT5vWxY8 (DuckDNS)

All endpoints implement rate limiting to prevent abuse:

Hostname:

• Maximum 253 characters
• Each label 1-63 characters
• Alphanumeric and hyphens only
• No leading/trailing hyphens in labels

IP Address:

• Must be valid IPv4 or IPv6
• Must be globally routable (see Section 10 of protocol spec)
• 15 IPv4 ranges rejected per RFC 6890
• 9 IPv6 ranges rejected per RFC 6890

TTL:

• Integer between 60 and 86400

1. HTTPS only - Webhook URLs must use TLS
2. SSRF protection - URLs must not resolve to private IP ranges
3. Signature verification - HMAC-SHA256 with timestamp
4. Replay protection - 5-minute timestamp window
5. Timeout - Maximum 10 seconds per delivery

const crypto = require('crypto');

function verifySignature(payload, signature, secret, timestamp) {
  const now = Math.floor(Date.now() / 1000);
  if (Math.abs(now - timestamp) > 300) {
    return false;
  }

  const signedPayload = `${timestamp}.${payload}`;
  const expected = 'sha256=' + crypto
    .createHmac('sha256', secret)
    .update(signedPayload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

• Passwords in plaintext
• Full tokens in logs
• Geolocation data
• Browser fingerprints
• Tracking cookies
• Behavioral analytics

{
  "timestamp": "2025-01-01T12:00:00.000Z",
  "request_id": "req_xxx",
  "method": "POST",
  "path": "/.well-known/apertodns/v1/update",
  "token_id": "tok_xxx",
  "token_hint": "apertodns_live_xxxx...xxxx",
  "response_status": 200,
  "response_time_ms": 45
}

All responses include:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'
Referrer-Policy: no-referrer
Cache-Control: no-store, no-cache, must-revalidate, private

1. Network: TLS, HSTS, certificate pinning optional
2. Application: Input validation, rate limiting, auth checks
3. Data: Encryption at rest, minimal logging
4. Monitoring: Anomaly detection, alerting

• Data export (Article 20)
• Account deletion (Article 17)
• Minimal data collection
• Transparent privacy policy

• OWASP Top 10 addressed
• CWE/SANS Top 25 considered
• Regular security audits

Security Team: security@apertodns.com

General Support: support@apertodns.com

Website: https://apertodns.com

Last Updated: 2026-01-22

Author: Andrea Ferro support@apertodns.com