Security

Vulnerability Disclosure Program

We take security seriously. If you've found a vulnerability in Wavvi's systems, we want to hear about it and fix it fast.

Scope

What's covered

The following assets and services are in scope for responsible disclosure. If you're unsure whether something qualifies, reach out first.

  • wavvi.com and all subdomains
  • Wavvi web application and authenticated user flows
  • Wavvi API endpoints
  • Authentication and session management
  • Data storage and access control mechanisms
Out of Scope

What's not covered

  • Denial of service (DoS/DDoS) attacks
  • Social engineering or phishing of Wavvi employees
  • Physical security testing
  • Third-party services not operated by Wavvi
  • Automated scanning without prior coordination
Reporting

How to report a vulnerability

Send your findings to our security team. Include as much detail as possible so we can reproduce and fix the issue quickly.

1. Email us

Send your report to security@wavvi.com with a clear description of the vulnerability, steps to reproduce, and any supporting evidence (screenshots, logs, proof of concept).

2. We acknowledge

You'll receive a confirmation within 2 business days. Our security team will review your report and may follow up with questions to better understand the issue.

3. We fix and disclose

We aim to resolve confirmed vulnerabilities within 90 days. Once fixed, we'll notify you and coordinate on any public disclosure if appropriate.

Safe Harbor

Our commitment to researchers

We believe responsible disclosure makes everyone safer. If you follow this policy in good faith, we commit to working with you openly.

  • We will not pursue legal action against researchers who follow this policy
  • We will work with you to understand and validate your report
  • We will keep you informed of our progress toward a fix
  • We will credit you (if desired) when we disclose the fix

Good faith means: You give us reasonable time to fix the issue before any public disclosure. You don't access, modify, or delete data belonging to other users. You don't degrade our services or disrupt our users.

Questions before testing? If you're unsure whether your research falls within scope, email security@wavvi.com first. We're happy to clarify.

Report a Vulnerability

Found something?

Send your report to our security team. The more detail you include, the faster we can act.

Email security@wavvi.com →
View full Security & Trust page →