Wiza logo
Wiza logo
Get a demo
Get started for free

Vulnerability Disclosure Program

Updated on July 30, 2021.

For guidance on reporting security vulnerabilities to Wiza, Inc, please refer to this policy, which should be read in the context of the Wiza Terms of Use.

If you have found a vulnerability on of the Wiza products (i.e. dashboard, API, Chrome extension, etc.), we encourage you to submit your report to us as soon as possible and to not make the vulnerability public until it has been fixed and verified by Wiza.

While we greatly appreciate vulnerability disclosures from the community, no compensation will be given.

Wiza will not file a lawsuit against you or report you to law enforcement assuming the vulnerability was reported responsibly and that it meets the following criteria.

Disclosure Guide
  • Notify Wiza of the vulnerability and provide all of the details available to you.
  • Please provide enough detail to be able to fully identify and reproduce the issue, which may include the product, version, URL, requests/responses, screenshots, etc.
  • Provide Wiza with a reasonable time period to fix or address the issue before publicly disclosing.
  • In your research, please avoid any possible service disruption, accessing private user data, or destroying user data.
  • Do not submit reports from automated exploit scanning tools without first confirming the issue is in fact present.
  • Do not contact Wiza employees or users for the purpose of phishing or social engineering.
Categories to Look for Vulnerabilities

We are primarily interested in hearing about the following vulnerability categories:

We encourage you to look for vulnerabilities in the following areas:

  • SQL Injection
  • Cross Site Scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Authentication Bypass
  • Insecure Direct Object References
  • Remote Code Execution
  • Sensitive Data Exposure
Vulnerability Categories that are Out of Scope

The following categories are considered out of scope and should not be explored during your vulnerability research:

  • Denial of Service (DoS)
  • SSL vulnerabilities (i.e. misconfiguration or version)
  • Brute force attacks
  • User enumeration
  • Misconfigured flags on non-sensitive cookies
  • Logout CSRF
  • Issues only present in deprecated browsers or plugins
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Vulnerabilities that require users to perform highly unlikely actions (i.e. disabling browser security features, sending an attacker critical info, etc.)
How to Report Vulnerabilities

Please note that even tough we highly appreciate your effort, No compensation may be expected as only critical vulnerabilities are eligible for a compensation.