Vulnerability Disclosure Policy

We're committed to writing flawless bug-free code, however as any software engineer will understand, this is not possible in most circumstances. This is why this Vulnerability Disclosure Program exists. The following document outlines our program guidelines, what you should test and what kind of tests you should avoid. It also mentions how to report issues and the rewards for doing so.

The rules are simple:

• Notify us as soon as possible after you discover a real or potential security issue.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports.

The scope of this program includes the following:

• Website - windscribe.com
• API - api.windscribe.com
• VPN endpoints
• Windows app
• MacOS app
• Android app
• iOS app
• Chrome extension
• Firefox extension

While bug hunting, please avoid the following:

• DDoSing our infrastructure
• Brute forcing
• Social engineering
• Exfiltrate large amounts of data

After submitting a report you can expect to hear from us within 48 hrs, but usually a lot less. We will attempt to replicate the issue, and deploy a fix as soon as possible. In most cases this will happen pretty quickly, but in cases of application level vulnerabilities that require an update, it may take longer. This should go without saying, but we'll say it anyway: We won't sue you if you disclose issues to us.

If your report is verified and deemed to be an issue, you are eligible for compensation for your efforts. The actual amount solely depends on the severity of the issue as determined by us. Historically, we've paid out anywhere between $100 and $5000 for disclosed vulnerabilities.

To disclose an issue, please email us at hello (AT) windscribe.com. You can find our PGP key here. Please be as descriptive as possible and provide exact steps to reproduce the problem.

In the event of a critical issue being discovered that has a wide impact, we will notify all affected users via 4 channels of communication: notifications inside our apps, email (if email was provided during signup), Twitter and Reddit. A full breakdown of the issue and the solution will be posted in our blog. Example voluntary disclosure.