WISMO
WISMO
Log inSign up

Responsible Disclosure

Last updated: May 2025

We take the security of WISMO and the privacy of our users seriously. If you discover a security vulnerability in our service, we ask that you report it to us responsibly so we can address it before it is publicly disclosed.

1. Scope

This policy applies to security vulnerabilities in:

  • The WISMO web application at wismo.app
  • WISMO API endpoints and backend services
  • Authentication and session handling
  • Data storage and user data handling

This policy does not cover vulnerabilities in third-party services we depend on (such as hosting providers or AI model providers). Please report those directly to the relevant vendor.

2. What we ask of you

When you discover a potential vulnerability, please:

  • Report it to us promptly via the contact below.
  • Give us a reasonable amount of time to investigate and remediate before any public disclosure.
  • Avoid accessing, modifying, or deleting data that does not belong to you.
  • Do not perform denial-of-service attacks, social engineering, or physical attacks.
  • Do not use automated scanners in a way that degrades service availability.

3. What to include in your report

A good report helps us reproduce and fix the issue faster. Please include:

  • A clear description of the vulnerability and its potential impact.
  • Steps to reproduce the issue (proof of concept if applicable).
  • The URL, endpoint, or component affected.
  • The browser, OS, or environment used (if relevant).
  • Any relevant screenshots or logs (with personal data of other users redacted).

4. Our commitment to you

If you follow this policy in good faith, we commit to:

  • Acknowledge receipt of your report within 5 business days.
  • Investigate the report and keep you informed of our progress.
  • Notify you when the vulnerability has been remediated.
  • Not pursue legal action against you for the vulnerability disclosure, provided you have acted in good faith and within the scope of this policy.
  • Give credit for your discovery if you wish, once the issue is resolved.

5. Out of scope

The following are generally not considered valid security vulnerabilities for this program:

  • Missing security headers that do not directly lead to exploitability.
  • Theoretical vulnerabilities without a working proof of concept.
  • Reports from automated scanners without manual verification.
  • Social engineering of WISMO staff or users.
  • Clickjacking on pages without sensitive actions.
  • Rate limiting issues that do not result in data exposure.

6. Contact

Send your report by email to our security team:

security@wismo.app

Please encrypt sensitive reports using our PGP key if you need to include confidential details. Contact us at the address above to request our public key.

We do not offer a paid bug bounty programme at this time. We do appreciate responsible disclosure and will acknowledge researchers who help improve WISMO's security.