Vulnerability disclosure programme

Introduction

At Weavr, we prioritise the security and privacy of our users. We welcome reports from security researchers wishing to responsibly disclose security issues. We believe in fostering a collaborative approach to identifying and resolving potential vulnerabilities in our systems. Our Vulnerability Disclosure Program (VDP) is designed to encourage responsible security researchers to share any discovered vulnerabilities with us so that we can take prompt action to address them. Before conducting any security tests on our services, we request that you carefully read and adhere to the terms outlined in our disclosure program.

Disclosure policy

Without explicit consent from our team, we kindly ask that you refrain from discussing any vulnerabilities, including those that have been resolved.

Scope

As part of this VDP, we consider all our external production assets to be within the scope of vulnerability disclosure.

This includes all applications, network services, and systems exposed in any domain owned by Weavr. Subdomains of weavr.io that redirect to third-party services should be considered out-of-scope for vulnerability disclosure. 

Process and guidelines

When submitting a vulnerability, please provide simple, concise steps for us to reproduce the issue.
While we appreciate researchers’ efforts in examining our systems, we kindly request that vulnerabilities reported have a clear and demonstrable impact, resulting in a concrete and meaningful security risk.

If the same vulnerability is found on multiple hosts/services, please include these all in a single report.

We consider the first report received about a vulnerability to be treated as unique, and subsequent information will be marked as duplicates.

Out-of-scope issues

The following classes of vulnerabilities should NOT be considered eligible for the Weavr vulnerability disclosure programme:

  • Vulnerabilities relying on non-technical attacks such as social engineering, phishing or unauthorised access to employees of Weavr
  • Denial of service
  • Lack of rate-limiting issues
  • User enumeration
  • Missing best practices in SSL/TLS configuration
  • Missing best practices in HTTP headers configuration
  • Missing best practices in DNS records
  • Missing best practices in Emails such as DMARC
  • CSRF against logging out functionality or other non-state-changing functions
  • Access to information that is intentionally “public”
  • Directory Listing
  • Software version disclosure
  • Clickjacking on pages with no sensitive actions
  • Issues affecting third-party applications or dependencies used by Weavr, unless a significant security impact is proved (i.e. we expect a full exploit). More generic issues without an actual impact should be reported to the relevant vendor (if the issue is not already publicly known).

Filing a report

If you would like to make a report, please use the submission form below.

Note: This program does not offer rewards.

Weavr reserves the right to suspend, revise, or terminate this program at any time, with or without notice.