We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
We are committed to protecting the interests of Security Researchers. The more closely your behavior follows these guidelines, the more we’ll be able to protect you if a difficult situation escalates.
Any design or implementation issue that is reproducible and substantially affects the security of Wag! users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit. What are the consequences to the victim? The Google Bug Hunter University guide may be useful in considering whether an issue has security impact.
We require that all researchers:
If you follow these guidelines when reporting an issue to us, we commit to:
The following domains are considered in scope for this program:
The following apps are considered in scope for this program:
Any design or implementation issue that is reproducible and substantially affects the security of Wag! users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The Google Bug Hunter University guide may be useful in considering whether an issue has security impact.
Any services hosted by 3rd party providers and services are strictly excluded from the scope.
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from the scope:
Some submission types do not qualify for because they have low security impact, and therefore do not trigger a code change. This section contains a listing of issues found to be commonly reproducible and reported but are not considered eligible for our Hall of Fame submissions. We strongly suggest you do not report these issues unless you can demonstrate a chained attack with higher impact.
Things we do not want to receive:
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing email@example.com. Please include the following details with your report:
If you are the first person to alert Wag! of a security issue and this triggers a code or configuration change, Wag! will post your name or alias on our Security Hall of Fame.
Each submission’s score is based on the business impact, severity, and creativity of the issue.
Note that Wag! may choose to award higher points for unusually clever or severe vulnerabilities; or lower rewards for vulnerabilities that require significant or unusual user interaction.
|Remote code execution||Command injection||50,000|
|Administrative functionality||Access to internal Wag! applications||20,000|
|Unrestricted access to data (filesystem, database, etc)||XXE, SQLi||20,000|
|Flaws leaking PII or bypassing significant controls||IDOR, impersonation, sensitive actions by user||6,000|
|Account Takeover||OAuth vulnerabilities||6,000|
|Perform activities on behalf of a user||XSS, Android Intent abuse||3,000|
|Other valid vulnerabilities||CSRF, clickjacking, information leakage||250-3,000|