Responsible Disclosure

1. Introduction

At Outwizar, we take the security of our systems and our users' data extremely seriously. We value the security research community and welcome responsible disclosure of any vulnerabilities that may be found in our platform. This policy outlines how to report security vulnerabilities to us and what you can expect from us in return.

2. Our Commitment

When you report a vulnerability to us in accordance with this policy, we commit to:

• Acknowledgement: we will acknowledge receipt of your report within 48 hours.
• Communication: we will keep you informed about the progress of resolving the vulnerability.
• No legal action: we will not pursue legal action against researchers who follow this policy.
• Recognition: with your permission, we will publicly acknowledge your contribution once the vulnerability has been resolved.
• Timely resolution: we will work diligently to resolve confirmed vulnerabilities as quickly as possible.

3. Scope

This policy applies to the following systems and services:

• The Outwizar website (outwizar.co.uk)
• The Outwizar mobile applications (iOS and Android)
• Outwizar APIs
• Any subdomains of outwizar.co.uk

Third-party services and applications are not in scope, even if they are integrated with Outwizar.

4. How to Report a Vulnerability

• Email: send your report to [email protected]
• Encryption: for sensitive reports, please request our PGP key by email first

Please include in your report:

• A detailed description of the vulnerability
• Steps to reproduce the issue
• The potential impact of the vulnerability
• Any proof-of-concept code or screenshots
• Your contact information for follow-up
• Whether you wish to be publicly acknowledged

5. What We Ask of You

• Act in good faith: avoid privacy violations, data destruction, and service disruption.
• Do not access user data: do not access, modify, or delete data belonging to other users.
• Stop and report: once you have confirmed a vulnerability exists, stop testing and report it.
• Maintain confidentiality: do not disclose the vulnerability publicly until we have had reasonable time to address it.
• No automated scanning: do not use scanners that could impact service availability.
• No social engineering: do not attempt to socially engineer our staff or users.
• No physical attacks: do not attempt physical attacks on our offices or data centres.
• No denial of service: do not intentionally degrade or disrupt our services.

6. Qualifying Vulnerabilities

We are particularly interested in vulnerabilities such as:

• Remote code execution
• SQL injection
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Authentication and authorisation flaws
• Sensitive data exposure
• Server-side request forgery (SSRF)
• Insecure direct object references
• Business logic vulnerabilities

7. Out of Scope

• Vulnerabilities in third-party services or applications
• Social engineering attacks
• Physical security issues
• Denial of service attacks
• Spam or social engineering techniques
• Missing security headers that do not lead to direct exploitation
• Clickjacking on pages with no sensitive actions
• Self-XSS (where user action is required to trigger)
• Issues related to password complexity requirements
• Rate limiting or brute force issues on non-authentication endpoints
• Disclosure of software versions
• Theoretical vulnerabilities without proof of concept

8. Disclosure Timeline

• Day 0: you submit your vulnerability report
• Within 48 hours: we acknowledge receipt of your report
• Within 7 days: we provide an initial assessment of the vulnerability
• Within 90 days: we aim to resolve the vulnerability (complex issues may take longer)
• After resolution: we may publicly disclose the vulnerability with your agreement

We ask that you do not disclose the vulnerability publicly until we have had reasonable time to address it, typically 90 days from the initial report.

9. Recognition

We appreciate the efforts of security researchers who help us keep Outwizar secure. With your permission, we will acknowledge your contribution. We may also consider monetary rewards for particularly significant vulnerabilities, at our discretion.

10. Legal Safe Harbour

If you conduct your security research in accordance with this policy, we consider your research to be authorised, and we will not initiate or support legal action against you. If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

11. Contact

• Security team: [email protected]
• PGP key: available upon request

Thank you to every researcher who helps us protect our users and improve our security posture.