We're committed to writing flawless bug-free code, however as any software engineer will understand, this is not possible in most circumstances. This is why this Vulnerability Disclosure Program exists. The following document outlines our program guidelines, what you should test and what kind of tests you should avoid. It also mentions how to report issues and the rewards for doing so.
The rules are simple:
The scope of this program includes the following:
While bug hunting, please avoid the following:
After submitting a report you can expect to hear from us within 48 hrs, but usually a lot less. We will attempt to replicate the issue, and deploy a fix as soon as possible. In most cases this will happen pretty quickly, but in cases of application level vulnerabilities that require an update, it may take longer. This should go without saying, but we'll say it anyway: We won't sue you if you disclose issues to us.
If your report is verified and deemed to be an issue, you are eligible for compensation for your efforts. The actual amount solely depends on the severity of the issue as determined by us. Historically, we've paid out anywhere between $100 and $5000 for disclosed vulnerabilities.
To disclose an issue, please email us at hello (AT) windscribe.com. You can find our PGP key here. Please be as descriptive as possible and provide exact steps to reproduce the problem.
In the event of a critical issue being discovered that has a wide impact, we will notify all affected users via 4 channels of communication: notifications inside our apps, email (if email was provided during signup), Twitter and Reddit. A full breakdown of the issue and the solution will be posted in our blog. Example voluntary disclosure.