Substack Vulnerability Disclosure Policy
We take the security of our systems seriously, and we value the security community. The disclosure of vulnerabilities helps us ensure the security and privacy of our users.
Guidelines

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
  • Perform research only within the scope set out below.
  • Use the identified communication channels to report vulnerability information to us.
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Substack until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue. Note that we don’t offer any monetary compensation at this time.
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).
  • Not pursue or support any legal action related to your research.
In Scope
  • substack.com
  • reader.substack.com
  • Substack's iOS app
Out of scope

Any services hosted by 3rd party providers and services are excluded from scope. Any web apps or surface areas meant for employees of Substack are also excluded from scope.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities

Things we do not want to receive:

  • Personally identifiable information (PII)
  • Credit card holder data
Reporting a security vulnerability

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@substackinc.com. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability.
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful).
  • Your name/handle and a link for recognition in our Hall of Fame.

If you’d like to encrypt the information, please use our PGP key.

KeyID: 4ED9E010
Key Type: RSA
Key Size: 4096/4096
UserID: Substack Security <security@substackinc.com>
Fingerprint: 0A22 F8A8 0456 2638 DD74 BA94 2D86 525E 4ED9 E010
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGJ+eQUBEACf8m0LBYAxLiz+fzisFtBw43e1Lll/UyFnl02a9Rx9hWtqu+wS
aM0+xp5oEyqBJMiG//Gu09aAhP4W7hC0RFdyq0JrT+Lhbo+Z0+oYt4WawKo7mPeq
S2T8O/83AcJ7gX7W7NHeW/iCQyTUN8hlFiDLq+HLOwPWa2bnGx5Vusl/oO7i4gUT
q7f6LfFUzPwoOe4Mm9ZzWsZ2VnABhvLY94y+DKWebcpvPdOXkXKebhyhpXEfcaob
e1T4Vi6Rm95DcJvGD0X6csIF56OaCx3ie6FGI9Wsc7C6w1xaO/NM/eRdYho/mf3f
22+BGC1ovLX4bRLKvFk3YDBNDpFRRbsvwKOBnGJodPTe874Ngd717RpuT6EDDQJJ
km9cUg8avsNGblPck6XNKG2j4Oynl81MLodU53aviqZFaFMefE1Z9ID/wrn2GZt6
psuAjhsDcx4SNMlRLdAJayRZtElKUhkj00WUNbm5tst08Gu4livHoeHdzhLgX6Mg
uxORd2CIuN1g2+IVRXh9hxXzn47FyeFfQgcIGTAcrHDqbhb+5YYnCnoWG6v/Isc2
qQSBjz+XwqiQLM6s17JM4PyIauN3GI8pmJv92C/TZZfPo7j4sW9agpdk6OVNLdWo
Hzzi38mZd5O8f87Z2uq3FwqOYfZuIxAtD2+zr/tzKlInA2mYwbL+Cy5bcQARAQAB
tCxTdWJzdGFjayBTZWN1cml0eSA8c2VjdXJpdHlAc3Vic3RhY2tpbmMuY29tPokC
TgQTAQgAOBYhBAoi+KgEViY43XS6lC2GUl5O2eAQBQJifnkFAhsDBQsJCAcCBhUK
CQgLAgQWAgMBAh4BAheAAAoJEC2GUl5O2eAQfDQP+wSrbC0ZYmU1eQCrn5xPGV61
/sl1hxIKzTWlYxrX0nc0VT6X+mnojZrYY3F29r29AnQ5+Pl6PAHH3PAAL5NxtPX/
mAJN1StYcDza7p4qyO/bUv/2GrQ9K3Ozbsaef0JRT56txjBA67whsIPmc/Zy5/Ll
00S1kVyJDeeOFjPOOuCLPvS5QL+BMw5fi9iwIySB7DfVpC7Ic6g5yX9u14eAylyV
gHR/MRiscLLXnCmp+1w8j2Abih18IZqEqPJcIubPt8OXYnDnc4ptw3Zd6c8Fegfr
2t+4mzc3YVbsmWfQ7x4w/hTLVjVu3k1ICWM0f0KO0oKCuRYfmdzDB1NS9HjNoFfM
mUAFO1ZA4kI/oRc7Ycbfu0Sqe6wnk3kwEzwYfl4IMkXXj29NRgF4IAO9GMg11G3O
+CeH8jsYYIxDfVeJ5yjRZuQO0385iHaPxCuI7lMUkSgnE5KPZRD7BlBgDF0kjiGq
D+fChobEtjaTx/23kUiEzMZrI+oT4O1YlNIKTLA26CTgG2lYub9CJaSgEukXXjvr
fzyg21jY0zJZxnkXre157EXqN3af9dIcyXa9TgILwaTrEOGSdYlwU+yWjVBoKPnA
XC+wJ1YaO1c/rlwPxKREmL0pCsVbxKLYVOeS9p1y24yZQz8OwWPdaIywelQNfWVS
77PvF22r3yPGeVcOigxfuQINBGJ+eQUBEAC02f0oVdWTUiSyH6/ZfpiFsyiXwQxx
lqX7Wh3QHernTzGksUQMsIo+Yogt3bU9qcnrHXJlu9cvH9QC0I3rw8yUaxHIWPPF
raH8sGHov6cx7DFzuFHpFIUJ000nofp5BKEy6e9Gs8XCQtdYoTkdCmOXXEzS2FGK
MlDEWbBVWcormn9vJwgv7ygIKMQEqqOpblx7NztpP0OxULjSquRjllqLTmETf6zX
7E+K46ekkIm/VxInRY242vJHeK9Mh1BDmfB0M7odOX3m/Yf+u8IufBzh841ZCPfL
aBfUfKCLAQcIfc1CGHQIzSewgStmCXDnsM7w00ri3k7cdqZQTCUGQevgT0MXBhpd
Y1KSPa/wnsiHNhKuN23xZSCBZVWuyAYfsr5Wu3ok/vsJ084Luyd4VKkHYmUho1MO
GaOVcUKF7ZGVIeHr/Iuvwby9NewEfM/0IkyHbgnBNgH2TflhSboJ78hVU8SWglpo
AGHcmbW0lhnuupFTRrJ9eV3wS6BZMS21x/JgPkV/i38S/Z1bZbXhJaUEOc6BzuTx
Jg8BBnYGWMSsNpt+0JKyLg6DNTqL3AjNXzO4Qj7VtHND/ddmJrcfnJuBOYO4WcU2
qg2tauN4ShWdXZ7wZdLfvUzBIXnUiiWINet6jmv5sD65SktKZLCjrp5PlIi/PD1K
cQeDGWB+16eudwARAQABiQI2BBgBCAAgFiEECiL4qARWJjjddLqULYZSXk7Z4BAF
AmJ+eQUCGwwACgkQLYZSXk7Z4BAgKw/+O4ccxwSMztnVhZj4jTFrAK4RcXUlagJ2
emJyYyJD/sODuaiqrsRbTOuVHiISQdRiPXpFhLmb956Cq4+WiP0AqPP3+Hrzh+gH
K214QfeXrWe1EeMiNb8td3d4Ml83OE0G3pqnS8z94sQ7FQeOc+WdsO2CMeNkCMRA
LlIsvsj92PAZ5wnrrRENdxbAupEVYNsdnQXQDSJ/49YIYqID9gsBJTBFE1SHD7QS
Uu9vCukEshgu/JW0LyLFRaSMgVGtT0g01f1RawjqTG4jFLJmUdYBfr93WURgGODK
y/iffVIZ4gawXGYcQZfFqJWukV+U5DJcXKKjOPyCd6ihwPbIrMFDT84FU33OaEsI
RpHASjUcniJ9AIdjtulev4pD9sjNz8jLFkocpjqDsqUVZJxJMc3oLgEnuCLuMS/L
hT948eMX98JC4w1s8dgQYYy2N8SqFpTqQRiqcEIRt2hFcwtilWN+cky7eCd1yDJb
ximYjLCraTA8627nojoDVH//WoOZXAdI9MXhTY4m22dYlqqhf5Mt20vaIM7fGhXl
og9N0ZXmrMhUsVLqGDxz/6nplAlk1xCOcDj2N18y4Lm/DE54hW3Iar+QtpQ6lk66
s7fXI6C4EZBtCIycgEMo1lrUAGSUswxVCjrwiY1faZ3m1hD1FO2A+yzvFg3s2bwv
XHkqnaHf8kY=
=0q1C
-----END PGP PUBLIC KEY BLOCK-----