Vulnerability Disclosure Policy

Overview

Wayhome is committed to ensuring the security and integrity of our systems and services. As part of our ongoing efforts, we have established this initial policy, to encourage responsible disclosure of potential vulnerabilities in our software, applications, and infrastructure. This program aims to promote collaboration between our organisation and security researchers in identifying and addressing security vulnerabilities. If you believe you have found a security vulnerability, please report it to us via the steps outlined below.

Rewards

Whilst we are currently unable to offer monetary rewards to researchers, we encourage you to share the details of any vulnerabilities you uncover. We deeply value your contribution to our program. We are committed to recognising all researchers who collaborate with us in our goal to ensure the security and integrity of our systems. We aim to revisit submissions in the future and should circumstances allow, explore the possibility of retrospective rewards as a gesture of our appreciation.

Scope

Our VDP covers all our publicly accessible software, applications, and infrastructure. This includes but is not limited to:

• Web applications
• Public APIs
• Network infrastructure
• Operating systems

Rules

We encourage security researchers to responsibly disclose any discovered vulnerabilities. To be eligible for rewards, researchers must adhere to the following guidelines:

• Do not exploit the vulnerability beyond what is necessary to demonstrate the impact.
• Do not compromise or test Wayhome accounts that are not your own.
• Do not attempt to target Wayhome employees or its customers, including social engineering attacks, phishing attacks, or physical attacks.
• This applies even if it appears to be an automated chat system.
• Do not threaten or try to extort Wayhome. Do not act in bad faith and make ransom requests. You should simply report the vulnerability to us.
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.
• Make every effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Report vulnerabilities promptly and provide sufficient details to reproduce and validate the issue.
• Keep all communication regarding vulnerabilities confidential until authorised to disclose.
• If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.

How to report

To report a vulnerability, researchers should follow these steps:

1. Please submit your report to security@wayhome.co.uk.
2. Please note that by submitting us a vulnerability report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our products, services, or test systems without any further obligations or notices to you.
3. Include a step-by-step description of the vulnerability, along with any proof-of-concept or supporting materials.
4. Provide relevant system and software versions, as well as any additional information that can help validate and reproduce the issue.
5. Upon receiving the report, we will acknowledge the submission and assess its eligibility.
6. We aim to respond to initial reports within 5 business days and provide updates on the progress of resolving the issue.
7. Once the vulnerability is addressed, we will assess and communicate it to the researcher.

What happens after you report

Our developers will investigate the matter to determine if it is a valid security vulnerability that can be reproduced based on the information provided. We prioritize externally reported security concerns and will keep you updated on the progress. You can request status updates from your case handler.

Legal Considerations

Researchers are expected to comply with all applicable laws and regulations while participating in our VRP. We reserve the right to terminate or modify this policy or exclude individuals from participation at our discretion. By submitting a vulnerability report, researchers agree to the terms and conditions outlined in this policy.