Vulnerability Disclosure Policy

WITS is committed to protecting its customers’ data. Please report any security concerns you may encounter to security -[at]- witslb.com. You can use our PGP key for encryption if you’d like.

Any vulnerabilities submitted under this policy will be used for the purposes of improving WITS security.

Scope

Generally, valid submissions will include high-impact vulnerabilities. However, any vulnerability that could realistically place the online security of WITS, our customers, or the public at large at risk is in scope.

  • Any web properties owned or operated by WITS S.A.R.L.
  • *.witslb.com

The following are strictly out of scope:

  • DDoS or volumetric attacks. DoS that does not rely on large amounts of traffic is accepted.
  • Any physical or social attack against a physical location.
  • Social engineering, phishing, etc.
  • Rate limiting or brute force issues on non-authentication endpoints
  • Missing best practices in response headers or email configuration, unless they directly lead to an exploitable security issue.
  • Health check pages / Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).
  • Tabnabbing
  • Issues that require unlikely user interaction
  • Software bugs that have no security impact.
  • Exposure of any data that is meant to be public.
  • Third-party assets are out of scope, unless they directly impact WITS’s security.

Rules

  • Please do not disclose vulnerabilities publicly without prior consent.
  • Any charges incurred as a result of your security testing will not be refunded. WITS may choose to selectively refund account charges to bug reporters.
  • Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
  • Do not exploit issues beyond what is required to prove their existence.
  • WITS may, at its discretion, choose to offer monetary rewards for valid submissions.