Report Security Issues

Security Vulnerability Reporting

If you have discovered a security vulnerability on W1hardwar.store, we encourage you to contact us immediately. We carefully review all legitimate vulnerability reports and work diligently to resolve any issues. Before reporting, please read through this document, which includes our fundamentals, bounty program, reward guidelines, and details on what should not be reported.

Fundamentals

By adhering to the principles below when reporting a security issue to W1hardwar, we will not initiate legal action or enforcement investigations in response to your report.

We ask that:

  • You give us reasonable time to review and address the issue before publicly sharing or discussing the details of the report.
  • You refrain from interacting with private accounts (including accessing or modifying data) unless the account owner has given consent.
  • You make every effort to avoid privacy violations and disruptions to others, such as data destruction or service interruptions.
  • You do not exploit any security issues you discover for any reason (this includes demonstrating additional risk or trying to compromise sensitive company data).
  • You do not violate any other applicable laws or regulations.

Bounty Program

We recognize and reward security researchers who help us maintain a safe platform by reporting vulnerabilities in our services. Monetary bounties are awarded at W1hardwar’s discretion, based on risk, impact, and other factors. To potentially qualify for a bounty, you must meet the following requirements:

  • Adhere to the fundamentals listed above.
  • Report a security bug—identify a vulnerability in our services or infrastructure that poses a security or privacy risk. (Note that W1hardwar determines the risk level of any issue, and not all bugs may be considered security vulnerabilities.)
  • Submit your report through our security center, rather than contacting employees directly.
  • If your investigation inadvertently causes a privacy violation or disruption (such as accessing account data or other confidential information), please inform us in your report.

We investigate and respond to all valid reports. Due to the volume of reports, we prioritize evaluations based on risk and other factors, so it may take some time to receive a reply.

We reserve the right to publish reports.

Rewards

Our rewards are determined by the impact of the vulnerability. We update the program over time based on feedback, so we welcome any suggestions for improvement.

Please ensure your reports are detailed with reproducible steps. Reports that lack sufficient detail to reproduce the issue will not be eligible for a bounty.

When multiple reports address the same issue, we reward the first valid report we can fully reproduce.

If a single issue causes multiple vulnerabilities, we will award one bounty.

Bounty amounts are determined based on various factors, including impact, ease of exploitation, and report quality. The maximum reward amounts per severity level are outlined below. These amounts represent the maximum W1hardwar will pay, but final amounts are at our discretion.

Severity Levels and Rewards:

  • Critical Severity Vulnerabilities (£200): Vulnerabilities that allow privilege escalation, remote code execution, financial theft, etc.
    Examples: Remote code execution, vertical authentication bypass, SQL injection leaking data, full account access.

  • High Severity Vulnerabilities (£100): Vulnerabilities affecting platform security and supported processes.
    Examples: Lateral authentication bypass, cross-site scripting (XSS) affecting users, insecure authentication cookie handling.

  • Medium Severity Vulnerabilities (£50): Vulnerabilities affecting multiple users with little or no user interaction required.
    Examples: Logic flaws, insecure object references, business process defects.

  • Low Severity Vulnerabilities: Issues affecting individual users that require interaction or significant prerequisites.
    Examples: Open redirects, reflective XSS, low-sensitivity information leaks.

We aim to be fair in awarding rewards, and the final amount is at our discretion based on the above factors.