We take the security of our systems seriously, and we value the security community. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Warpcache until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
  • Handle your report with strict confidentiality and not pass on your personal details to third parties without your permission.

Scope

Out of scope

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities
  • Security vulnerabilities in third-party applications
  • Security vulnerabilities in third-party websites that integrate with any of Warpcache’s products or services
  • The ticket system (see the above)
  • Spam or social engineering techniques
  • Brute force username enumeration and password cracking
  • Flaws specific to old, out-of-date browsers and plugins
  • Lack of secure or HTTPOnly flag on non-sensitive cookies
  • Logout cross-site request forgery
  • DMARC

Things we do not want to receive:

  • Personally identifiable information (PII)
  • Credit card holder data

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security[at]warpcache.com. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us.

Rewards

A typical reward for a qualifying security vulnerability is a €50 PayPal voucher.

We may increase the reward for certain specific reports, but the final amount is determined at Warpcache’s discretion. We award 1 bounty per qualifying security vulnerability.

Legal

  • If participating users/individuals do not adhere to the aforementioned policies, we reserve the right to take appropriate legal measures and/or get law enforcement involved.
  • This program is not open to minors, individuals on sanctions lists, or individuals in countries on sanctions lists.
  • You are responsible for any tax implications or additional restrictions depending on your country and local law.
  • Nothing contained in this policy should be construed as creating or implying a joint venture, partnership, agency, or employment relationship between you and Warpcache.
  • We reserve the right to amend the terms and/or cancel this program at any time. If you continue to participate, you accept such amended policy terms.
  • The decision to pay a bounty/reward is entirely at our discretion.
  • You must not violate any law.
  • You also must not disrupt any service or compromise anyone’s data.
  • The Warpcache Responsible Disclosure Policy is governed by Dutch law.