WAPlus Vulnerability Disclosure Policy
WAPlus is committed to ensuring data security by protecting information from unwarranted disclosure. This policy is introduced to give security researchers guidelines for conducting vulnerability discovery activity and to inform on how to report discovered vulnerabilities. This policy describes what systems and types of activities are covered under this policy, how to send vulnerability reports, and how long we ask to wait before publicly announcing discovered vulnerabilities.
2. Security Statement
Dear user, thank you for choosing waplus.io. We understand that data security and privacy protection are crucial for you and your business. In this statement, we will briefly introduce the browsing security and tool data security measures on our website to ensure that your information is well protected.
I. Browsing Security
To ensure your safety while browsing waplus.io, we have adopted SSL encryption technology. By encrypting your data, SSL ensures that your data is not stolen or tampered with during transmission. When you visit our website, you can see "https" and a green lock icon in the address bar, indicating that your browsing is secure.
We regularly conduct security checks on the website to ensure that it has not been hacked or infected with malicious software. In addition, we continuously monitor the latest developments in the field of cybersecurity to promptly address potential security threats.
II. Tool Data Security
Data Access: We have implemented multi-level access control policies to ensure that only authorized personnel can access your data. In addition, we conduct strict background checks on employees who access data to ensure that they adhere to the company's data confidentiality agreements.
Data Transmission: When you use our SaaS tools, we employ advanced encryption technology to protect the security of data transmission. This means that your data will be encrypted during transmission, and even if it is intercepted under extreme circumstances, it cannot be decrypted.
At waplus.io, we are committed to providing you with secure and reliable SaaS tool services. If you have any questions or suggestions about our data security policy, please feel free to contact us. We will be happy to assist you.
We request that you:
● Notify us as soon as possible after you discover a real or potential security issue
● Provide us a reasonable amount of time to resolve the issue before you disclose it publicly
● Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data
● Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or obtain data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems
● Once you’ve established that a vulnerability exists or encounter any sensitive data (including personal data, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and keep the data strictly confidential
● Do not submit a high volume of low-quality reports
Security research conducted in accordance with this policy is considered authorized. We will work with you to understand and resolve the issue quickly, and WAPlus will not recommend or pursue legal action related to your research.
This policy applies to the following systems and services:
● waplus.io website
● WAPlus Workspace
● WAPlus browser extension for Chrome
● WAPlus browser extension for Edge
Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in third party solutions WAPlus integrates with fall outside of this policy’s scope and should be reported directly to the solution vendor according to their disclosure policy (if any). If you aren’t sure whether a system or endpoint is in scope or not, contact us at [email protected] before starting your research.
6. Types of testing
The following test types are not authorized:
● Network denial of service (DoS or DDoS) tests
● Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
7. Reporting a vulnerability
Please email [email protected] to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report the next business day and communicate with you further about our progress. Reports may be submitted anonymously.
8. Desirable information
In order to process and react to a vulnerability report, we recommend to include the following information:
● Vulnerability description
● Place of discovery
● Potential impact
● Steps required to reproduce a vulnerability (include scripts and screenshots if possible)
If possible, please provide your report in English.
9. Our commitment
If you choose to provide your contact information we commit to coordinating with you as openly and as quickly as possible. We will acknowledge within 3 business days that your report has been received.
To the best of our abilities we will keep you informed about vulnerability confirmation and remediation. We are opened to a dialogue for a discussion of issues.
Last update: March 7, 2023