Responsible Disclosure

Wave Mobile Money is committed to ensuring the security of our products and services. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Authorization & Safe Harbor

If you make a good faith effort to comply with this statement during your security research, we will consider your research to be authorized, and Wave agrees not to pursue or support any legal action related to your research.


Under this policy, “research” means security activities in which you:


The following test methods are not authorized:


This policy applies to the following systems and services:

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at

Reporting a vulnerability

We accept vulnerability reports via Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.

If your report contains sensitive data, please use the public GPG key provided below to encrypt and email your findings to us.


What we would like to see from you

What you can expect from us