If you have found a vulnerability on of the Wiza products (i.e. dashboard, API, Chrome extension, etc.), we encourage you to submit your report to us as soon as possible and to not make the vulnerability public until it has been fixed and verified by Wiza.
While we greatly appreciate vulnerability disclosures from the community, no compensation will be given.
Wiza will not file a lawsuit against you or report you to law enforcement assuming the vulnerability was reported responsibly and that it meets the following criteria.
Notify Wiza of the vulnerability and provide all of the details available to you.
Please provide enough detail to be able to fully identify and reproduce the issue, which may include the product, version, URL, requests/responses, screenshots, etc.
Provide Wiza with a reasonable time period to fix or address the issue before publicly disclosing.
In your research, please avoid any possible service disruption, accessing private user data, or destroying user data.
Do not submit reports from automated exploit scanning tools without first confirming the issue is in fact present.
Do not contact Wiza employees or users for the purpose of phishing or social engineering.
Categories to Look for Vulnerabilities
We are primarily interested in hearing about the following vulnerability categories:
We encourage you to look for vulnerabilities in the following areas:
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
Insecure Direct Object References
Remote Code Execution
Sensitive Data Exposure
Vulnerability Categories that are Out of Scope
The following categories are considered out of scope and should not be explored during your vulnerability research:
Denial of Service (DoS)
SSL vulnerabilities (i.e. misconfiguration or version)
Brute force attacks
Misconfigured flags on non-sensitive cookies
Issues only present in deprecated browsers or plugins
Clickjacking on pages without authentication and/or sensitive state changes
Vulnerabilities that require users to perform highly unlikely actions (i.e. disabling browser security features, sending an attacker critical info, etc.)
How to Report Vulnerabilities
Please note that even tough we highly appreciate your effort, No compensation may be expected as only critical vulnerabilities are eligible for a compensation.
Disclaimer: Wiza, Inc is not affiliated, associated, authorized, endorsed by, or in any way officially connected with Microsoft or LinkedIn, or any of their subsidiaries or affiliates. The name LinkedIn, as well as related names, marks, logos, emblems, and images are registered trademarks of their respective owners.