Responsible Disclosure | WAVE Security

Responsible Disclosure Policy

Last updated: 2026-04-27

WAVE welcomes security research. This policy describes how to report vulnerabilities and the safe harbor we extend to researchers acting in good faith.

Safe harbor

WAVE will not pursue civil or criminal action against security researchers who:

Make a good-faith effort to comply with this policy
Avoid privacy violations, destructive actions, or service disruption
Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
Report findings within 30 days of discovery
Avoid accessing other users' data
Avoid social engineering of WAVE staff

In scope

wave.online and its subdomains
WAVE APIs at api.wave.online and edge.wave.online
WAVE SDKs (npm: @wave-av/*, PyPI: wave-av)
Mobile apps (when launched)

Out of scope

Third-party services (Stripe, Twilio, Cloudflare, etc.) — report to vendor directly
Findings requiring physical access or social engineering
Denial-of-service attacks
Account takeovers without responsible disclosure
Self-XSS or attacks requiring an already-compromised account
Issues already known and tracked

How to report

Email [email protected] with our PGP key (available at /.well-known/security.txt). Include:

Description of the issue
Reproduction steps
Affected URLs or endpoints
Impact assessment
Your name or handle for hall-of-fame credit (optional)

What we do

Acknowledge within 24 hours
Investigate within 5 business days
Provide status updates every 7 business days until resolved
Notify you when resolved
Credit you in our security hall of fame, with your permission

Bug bounty rewards

Severity	CVSS	Reward
Critical	9.0–10.0	$5,000–$15,000
High	7.0–8.9	$1,000–$5,000
Medium	4.0–6.9	$250–$1,000
Low	0.1–3.9	$50–$250
Informational	N/A	Hall of fame credit

Final reward determined by CVSS score and business impact, quality of report (clarity and reproduction steps), and originality (first to report wins).

Excluded categories

Best-practice violations without a demonstrated exploit
Outdated software without an exploitable vulnerability
Self-hosted dependency CVEs without an exploit path
Theoretical issues
Phishing pages mimicking WAVE — report to [email protected] (not a security bug)
Issues affecting unsupported browsers

What we ask in return

Do not publicly disclose until we have fixed (or 90 days from initial report, whichever is first)
Do not access other users' data
Do not degrade WAVE's service
Coordinate with us on disclosure timing for high-impact issues

Legal

By participating in good faith with this policy, WAVE will not pursue legal action under the CFAA, DMCA, or similar statutes; we waive DMCA Section 1201 claims for circumvention research; you retain copyright in your reports and research. This safe harbor does not cover violation of third-party rights, unlawful actions independent of security research, or researchers acting in bad faith.

See also our Security Whitepaper and Trust Center.

Responsible Disclosure Policy

Last updated: 2026-04-27

WAVE welcomes security research. This policy describes how to report vulnerabilities and the safe harbor we extend to researchers acting in good faith.

Safe harbor

WAVE will not pursue civil or criminal action against security researchers who:

Make a good-faith effort to comply with this policy
Avoid privacy violations, destructive actions, or service disruption
Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
Report findings within 30 days of discovery
Avoid accessing other users' data
Avoid social engineering of WAVE staff

In scope

wave.online and its subdomains
WAVE APIs at api.wave.online and edge.wave.online
WAVE SDKs (npm: @wave-av/*, PyPI: wave-av)
Mobile apps (when launched)

Out of scope

Third-party services (Stripe, Twilio, Cloudflare, etc.) — report to vendor directly
Findings requiring physical access or social engineering
Denial-of-service attacks
Account takeovers without responsible disclosure
Self-XSS or attacks requiring an already-compromised account
Issues already known and tracked

How to report

Email [email protected] with our PGP key (available at /.well-known/security.txt). Include:

Description of the issue
Reproduction steps
Affected URLs or endpoints
Impact assessment
Your name or handle for hall-of-fame credit (optional)

What we do

Acknowledge within 24 hours
Investigate within 5 business days
Provide status updates every 7 business days until resolved
Notify you when resolved
Credit you in our security hall of fame, with your permission

Bug bounty rewards

Severity	CVSS	Reward
Critical	9.0–10.0	$5,000–$15,000
High	7.0–8.9	$1,000–$5,000
Medium	4.0–6.9	$250–$1,000
Low	0.1–3.9	$50–$250
Informational	N/A	Hall of fame credit

Final reward determined by CVSS score and business impact, quality of report (clarity and reproduction steps), and originality (first to report wins).

Excluded categories

Best-practice violations without a demonstrated exploit
Outdated software without an exploitable vulnerability
Self-hosted dependency CVEs without an exploit path
Theoretical issues
Phishing pages mimicking WAVE — report to [email protected] (not a security bug)
Issues affecting unsupported browsers

What we ask in return

Do not publicly disclose until we have fixed (or 90 days from initial report, whichever is first)
Do not access other users' data
Do not degrade WAVE's service
Coordinate with us on disclosure timing for high-impact issues

Legal

See also our Security Whitepaper and Trust Center.

Responsible Disclosure Policy

Safe harbor

In scope

Out of scope

How to report

What we do

Bug bounty rewards

Excluded categories

What we ask in return

Legal

Related

Responsible Disclosure Policy

Safe harbor

In scope

Out of scope

How to report

What we do

Bug bounty rewards

Excluded categories

What we ask in return

Legal

Related