Data protection continues to be a priority concern for inwise. Consequently, inwise encourages the reporting of any security vulnerabilities on our sites or in our applications. We welcome penetration testing and other vulnerability research to uncover potential threats, as this performs a valuable role in tightening internet security.
Once a researcher maintains the policies below, they will not be litigated against for exposing vulnerabilities in our systems. Thus, carefully consider the following policies before attempting to expose any of inwise systems vulnerabilities.
Which accounts to use
When testing for vulnerabilities, use only demo/test accounts or Trial/Developer Editions once available.
How to report a vulnerability
Report any potential threats to inwise systems or applications via email@example.com, providing accurate details of the threat for in-house validation. Only submissions that follow inwise rules will be acknowledged.
We ask that you do not share or publicize an unresolved vulnerability with/to third parties.
inwise reserves the right to investigate and repair security vulnerabilities privately without communicating such to its customers. This is for their own protection, to avoid unnecessary panic or worry, but may provide full disclosure once a patch or remedy is in place.
Types of prohibited security research
inwise expressly prohibits the following:
- Actions that result in a negative effect on inwise or its clients (e.g. Spam, Brute Force, Denial of Service, etc).
- Accessing, or attempting to access, data or information that does not belong to you.
- Destruction of someone else’s data. This includes attempting to corrupt unauthorized information.
- Physical or electronic assault of any inwise personnel, resources or data centers.
Psychological manipulation, whether by social engineering or otherwise, of any inwise service desk, employee or contractor.
- Conduct vulnerability testing of participating services using anything other than test accounts (e.g. Developer or Free instances).
- Publishing an unresolved vulnerability. Any discovered breach of the inwise system must be reported solely to inwise via firstname.lastname@example.org.
- Violating any laws or breaching any agreements in order to discover vulnerabilities.
Vulnerability Rewards Program
- inwise only awards compensation or bounty for each bug or vulnerability at the time that it is resolved.
- Only the first researcher to provide a report on the named bug will be compensated. Duplicate reports will be examined and only compensated if they provide further vulnerability information.
- inwise only accepts one vulnerability report per researcher per year.
- The maximum bounty is fixed at $75 USD per bug/vulnerability. inwise complies with all local monetary regulations, however, the researcher/recipient of the bounty is responsible for all financial liabilities regarding receipt of the funds, including taxes and transfer fees.
- inwise is unable to pay bug bounty to researchers resident in countries with trade restrictions/sanctions with Israel.
- inwise, in accordance with the Children’s Online Privacy Protection Act, does not collect personal information from children under 13.
The inwise security team commitment:
We, at inwise, are committed to:
- Promptly acknowledging receipt of your vulnerability report.
- Including an estimate of the time frame required to address the contents of your vulnerability report.
- Notifying you when the vulnerability outlined in your report has been resolved.
Thank you for taking the time to submit your vulnerability report to help us strengthen the security of the inwise systems and applications.
We do appreciate this!