In Scope
- wakatime.com
- api.wakatime.com (web only, not used for email)
Out of Scope Vulnerabilities
Report leaked user api keys, user passwords, and other sensitive user data using this form:
https://wakatime.com/security/leaks
Do NOT report leaked user api keys, user passwords, user app secrets, or other user secrets here. They will be marked NA!
Vulnerabilities below will be marked NA or Informative.
- Session Fixation/Replay (We use session cookies and we like them http://bit.ly/2tw19Gd)
- Insufficient Session Expiration
- Weak Password Policy (See http://bit.ly/2uFjwXt)
- Password Reuse (We allow any password, even passwords used previously)
- CSRF Cookie Without 'HttpOnly' Flag
- Beast Attack (Fixed in browsers not sever)
- Username Enumeration
- Software version disclosure
- Denial of service
- Spamming
- Phishing
- Social engineering
- status.wakatime.com is NOT in scope. Submit vuln reports to [email protected] for our status page subdomain.
Please consolidate the same vulnerability reports when only the page/url/params changes.
View changes to this policy
