Details

In Scope

wakatime.com
api.wakatime.com (web only, not used for email)

Out of Scope Vulnerabilities

Report leaked user api keys, user passwords, and other sensitive user data using this form:
https://wakatime.com/security/leaks
Do NOT report leaked user api keys, user passwords, user app secrets, or other user secrets here. They will be marked NA!

Vulnerabilities below will be marked NA or Informative.

Session Fixation/Replay (We use session cookies and we like them http://bit.ly/2tw19Gd)
Insufficient Session Expiration
Weak Password Policy (See http://bit.ly/2uFjwXt)
Password Reuse (We allow any password, even passwords used previously)
CSRF Cookie Without 'HttpOnly' Flag
Beast Attack (Fixed in browsers not sever)
Username Enumeration
Software version disclosure
Denial of service
Spamming
Phishing
Social engineering
status.wakatime.com is NOT in scope. Submit vuln reports to [email protected] for our status page subdomain.

Please consolidate the same vulnerability reports when only the page/url/params changes.

View changes to this policy

In Scope

wakatime.com
api.wakatime.com (web only, not used for email)

Out of Scope Vulnerabilities

Vulnerabilities below will be marked NA or Informative.

Session Fixation/Replay (We use session cookies and we like them http://bit.ly/2tw19Gd)
Insufficient Session Expiration
Weak Password Policy (See http://bit.ly/2uFjwXt)
Password Reuse (We allow any password, even passwords used previously)
CSRF Cookie Without 'HttpOnly' Flag
Beast Attack (Fixed in browsers not sever)
Username Enumeration
Software version disclosure
Denial of service
Spamming
Phishing
Social engineering
status.wakatime.com is NOT in scope. Submit vuln reports to [email protected] for our status page subdomain.

Please consolidate the same vulnerability reports when only the page/url/params changes.

View changes to this policy

WakaTime

WakaTime

Details

In Scope

Out of Scope Vulnerabilities

In Scope

Out of Scope Vulnerabilities