We require that all researchers:
If you follow these guidelines when reporting an issue to us, we commit to:
Any services hosted by 3rd party providers and services are excluded from scope. Any web apps or surface areas meant for employees of Substack are also excluded from scope.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:Things we do not want to receive:
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@substackinc.com. Please include the following details with your report:
If you’d like to encrypt the information, please use our PGP key.
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGJ+eQUBEACf8m0LBYAxLiz+fzisFtBw43e1Lll/UyFnl02a9Rx9hWtqu+wS aM0+xp5oEyqBJMiG//Gu09aAhP4W7hC0RFdyq0JrT+Lhbo+Z0+oYt4WawKo7mPeq S2T8O/83AcJ7gX7W7NHeW/iCQyTUN8hlFiDLq+HLOwPWa2bnGx5Vusl/oO7i4gUT q7f6LfFUzPwoOe4Mm9ZzWsZ2VnABhvLY94y+DKWebcpvPdOXkXKebhyhpXEfcaob e1T4Vi6Rm95DcJvGD0X6csIF56OaCx3ie6FGI9Wsc7C6w1xaO/NM/eRdYho/mf3f 22+BGC1ovLX4bRLKvFk3YDBNDpFRRbsvwKOBnGJodPTe874Ngd717RpuT6EDDQJJ km9cUg8avsNGblPck6XNKG2j4Oynl81MLodU53aviqZFaFMefE1Z9ID/wrn2GZt6 psuAjhsDcx4SNMlRLdAJayRZtElKUhkj00WUNbm5tst08Gu4livHoeHdzhLgX6Mg uxORd2CIuN1g2+IVRXh9hxXzn47FyeFfQgcIGTAcrHDqbhb+5YYnCnoWG6v/Isc2 qQSBjz+XwqiQLM6s17JM4PyIauN3GI8pmJv92C/TZZfPo7j4sW9agpdk6OVNLdWo Hzzi38mZd5O8f87Z2uq3FwqOYfZuIxAtD2+zr/tzKlInA2mYwbL+Cy5bcQARAQAB tCxTdWJzdGFjayBTZWN1cml0eSA8c2VjdXJpdHlAc3Vic3RhY2tpbmMuY29tPokC TgQTAQgAOBYhBAoi+KgEViY43XS6lC2GUl5O2eAQBQJifnkFAhsDBQsJCAcCBhUK CQgLAgQWAgMBAh4BAheAAAoJEC2GUl5O2eAQfDQP+wSrbC0ZYmU1eQCrn5xPGV61 /sl1hxIKzTWlYxrX0nc0VT6X+mnojZrYY3F29r29AnQ5+Pl6PAHH3PAAL5NxtPX/ mAJN1StYcDza7p4qyO/bUv/2GrQ9K3Ozbsaef0JRT56txjBA67whsIPmc/Zy5/Ll 00S1kVyJDeeOFjPOOuCLPvS5QL+BMw5fi9iwIySB7DfVpC7Ic6g5yX9u14eAylyV gHR/MRiscLLXnCmp+1w8j2Abih18IZqEqPJcIubPt8OXYnDnc4ptw3Zd6c8Fegfr 2t+4mzc3YVbsmWfQ7x4w/hTLVjVu3k1ICWM0f0KO0oKCuRYfmdzDB1NS9HjNoFfM mUAFO1ZA4kI/oRc7Ycbfu0Sqe6wnk3kwEzwYfl4IMkXXj29NRgF4IAO9GMg11G3O +CeH8jsYYIxDfVeJ5yjRZuQO0385iHaPxCuI7lMUkSgnE5KPZRD7BlBgDF0kjiGq D+fChobEtjaTx/23kUiEzMZrI+oT4O1YlNIKTLA26CTgG2lYub9CJaSgEukXXjvr fzyg21jY0zJZxnkXre157EXqN3af9dIcyXa9TgILwaTrEOGSdYlwU+yWjVBoKPnA XC+wJ1YaO1c/rlwPxKREmL0pCsVbxKLYVOeS9p1y24yZQz8OwWPdaIywelQNfWVS 77PvF22r3yPGeVcOigxfuQINBGJ+eQUBEAC02f0oVdWTUiSyH6/ZfpiFsyiXwQxx lqX7Wh3QHernTzGksUQMsIo+Yogt3bU9qcnrHXJlu9cvH9QC0I3rw8yUaxHIWPPF raH8sGHov6cx7DFzuFHpFIUJ000nofp5BKEy6e9Gs8XCQtdYoTkdCmOXXEzS2FGK MlDEWbBVWcormn9vJwgv7ygIKMQEqqOpblx7NztpP0OxULjSquRjllqLTmETf6zX 7E+K46ekkIm/VxInRY242vJHeK9Mh1BDmfB0M7odOX3m/Yf+u8IufBzh841ZCPfL aBfUfKCLAQcIfc1CGHQIzSewgStmCXDnsM7w00ri3k7cdqZQTCUGQevgT0MXBhpd Y1KSPa/wnsiHNhKuN23xZSCBZVWuyAYfsr5Wu3ok/vsJ084Luyd4VKkHYmUho1MO GaOVcUKF7ZGVIeHr/Iuvwby9NewEfM/0IkyHbgnBNgH2TflhSboJ78hVU8SWglpo AGHcmbW0lhnuupFTRrJ9eV3wS6BZMS21x/JgPkV/i38S/Z1bZbXhJaUEOc6BzuTx Jg8BBnYGWMSsNpt+0JKyLg6DNTqL3AjNXzO4Qj7VtHND/ddmJrcfnJuBOYO4WcU2 qg2tauN4ShWdXZ7wZdLfvUzBIXnUiiWINet6jmv5sD65SktKZLCjrp5PlIi/PD1K cQeDGWB+16eudwARAQABiQI2BBgBCAAgFiEECiL4qARWJjjddLqULYZSXk7Z4BAF AmJ+eQUCGwwACgkQLYZSXk7Z4BAgKw/+O4ccxwSMztnVhZj4jTFrAK4RcXUlagJ2 emJyYyJD/sODuaiqrsRbTOuVHiISQdRiPXpFhLmb956Cq4+WiP0AqPP3+Hrzh+gH K214QfeXrWe1EeMiNb8td3d4Ml83OE0G3pqnS8z94sQ7FQeOc+WdsO2CMeNkCMRA LlIsvsj92PAZ5wnrrRENdxbAupEVYNsdnQXQDSJ/49YIYqID9gsBJTBFE1SHD7QS Uu9vCukEshgu/JW0LyLFRaSMgVGtT0g01f1RawjqTG4jFLJmUdYBfr93WURgGODK y/iffVIZ4gawXGYcQZfFqJWukV+U5DJcXKKjOPyCd6ihwPbIrMFDT84FU33OaEsI RpHASjUcniJ9AIdjtulev4pD9sjNz8jLFkocpjqDsqUVZJxJMc3oLgEnuCLuMS/L hT948eMX98JC4w1s8dgQYYy2N8SqFpTqQRiqcEIRt2hFcwtilWN+cky7eCd1yDJb ximYjLCraTA8627nojoDVH//WoOZXAdI9MXhTY4m22dYlqqhf5Mt20vaIM7fGhXl og9N0ZXmrMhUsVLqGDxz/6nplAlk1xCOcDj2N18y4Lm/DE54hW3Iar+QtpQ6lk66 s7fXI6C4EZBtCIycgEMo1lrUAGSUswxVCjrwiY1faZ3m1hD1FO2A+yzvFg3s2bwv XHkqnaHf8kY= =0q1C -----END PGP PUBLIC KEY BLOCK-----