Responsible Disclosure


Wave Mobile Money is committed to ensuring the security of our products and services. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Authorization & Safe Harbor

If you make a good faith effort to comply with this statement during your security research, we will consider your research to be authorized, and Wave agrees not to pursue or support any legal action related to your research.

Guidelines

Under this policy, “research” means security activities in which you:

Restrictions

The following test methods are not authorized:

Scope

This policy applies to the following systems and services:

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@wave.com.

Reporting a vulnerability

We accept vulnerability reports via security@wave.com. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.

If your report contains sensitive data, please use the public GPG key provided below to encrypt and email your findings to us.

Encryption: https://www.wave.com/security/wave.pgp.txt
Signature: https://www.wave.com/security/wave_security.txt.sig.txt

What we would like to see from you

What you can expect from us