Windscribe

Vulnerability Disclosure Policy




Introduction <p>We're committed to writing flawless bug-free code, however as any software engineer will understand, this is not possible in most circumstances. This is why this Vulnerability Disclosure Program exists. The following document outlines our program guidelines, what you should test and what kind of tests you should avoid. It also mentions how to report issues and the rewards for doing so.</p> Guidelines <p>The rules are simple:</p> <ul> <li>Notify us as soon as possible after you discover a real or potential security issue.</li> <li>Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.</li> <li>Only use exploits to the extent necessary to confirm a vulnerability’s presence.</li> <li>Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.</li> <li>Do not submit a high volume of low-quality reports.</li> </ul> Scope <p>The scope of this program includes the following:</p> <ul> <li>Website - windscribe.com</li> <li>API - api.windscribe.com</li> <li>VPN endpoints</li> <li>Windows app</li> <li>MacOS app</li> <li>Android app</li> <li>iOS app</li> <li>Chrome extension</li> <li>Firefox extension</li> </ul> Things to Avoid <p>While bug hunting, please avoid the following:</p> <ul> <li>DDoSing our infrastructure</li> <li>Brute forcing</li> <li>Social engineering</li> <li>Exfiltrate large amounts of data</li> </ul> Our Response <p>After submitting a report you can expect to hear from us within 48 hrs, but usually a lot less. We will attempt to replicate the issue, and deploy a fix as soon as possible. In most cases this will happen pretty quickly, but in cases of application level vulnerabilities that require an update, it may take longer.</p> Bug Bounty <p>If your report is verified and deemed to be an issue, you are eligible for compensation for your efforts. The actual amount solely depends on the severity of the issue as determined by us. Historically, we've paid out anywhere between $100 and $5000 for disclosed vulnerabilities.</p> Reporting <p>To disclose an issue, please email us at hello (AT) windscribe.com. You can find our PGP key here. Please be as descriptive as possible and provide exact steps to reproduce the problem.</p>





Comments:
On 2021-02-03 22:53:37 UTC, System (21311) Bot wrote:

Document has been crawled
Old length: 0 CRC 0
New length: 2314 CRC 2341167501