Introduction

This document outlines WellHive's policy for receipt and handling of reports from the public regarding identified security vulnerabilities in WellHive’s systems, services, and products.

WellHive is committed to ensure the security of its products. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences on how to submit discovered vulnerabilities to WellHive.

This policy describes what systems, services, and products and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems, services, and products.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and WellHive will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Program Rules

• Prompt Reporting: Notify us at https://hackerone.com/wellhive as soon as possible after you discover a real or potential vulnerability. Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
• Non-disruptive Conduct: Do not harm the performance of WellHive's systems, services, or products or its users. Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Ethical Testing: Avoid social engineering, physical attacks, or denial of service on WellHive systems, services, and products.
• Scope Limitations: Testing is limited to WellHive systems, services, and products identified at https://hackerone.com/wellhive. Any systems, services, or products not expressly listed at the link above, are excluded from scope and are not authorized for testing. Third party, non-WellHive vendor systems, as well as any connected services, fall outside this policy and should be reported to the vendor directly.
• No Automated Scans: Refrain from conducting automated scans on WellHive systems or networks; WellHive conducts these tests internally. Your use of automated scanning on WellHive systems, services, or products may result in investigation and/or legal action.
• Avoid Overloading Systems: Excessive load-generating scans may lead to investigation and legal action. Limit Exploit Activity: Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
• Allow Time for Remediation: Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Avoid Excessive Reporting: Do not submit a high volume of low-quality reports.

Scope

This policy applies to the WellHive systems, services, and products identified at https://hackerone.com/wellhive.

Any systems, services, or products not expressly listed in the link above are excluded from scope and are not authorized for testing. The parent "wellhive.com" domain is NOT in scope. Please see 'scope' for a listing of in-scope subdomains.

Third party, non-WellHive vendor systems, as well as any connected services, fall outside this policy and should be reported to the vendor directly.

If you aren’t sure whether a system is in scope or not, contact us at [email protected] before starting your research. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We will increase the scope of this policy over time.

Test Methods and Out of Scope Testing

This policy excludes certain test methods, such as attacks requiring specific access, defacement, social engineering, and actions negatively impacting WellHive or its users. Unauthorized test methods include the following:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
• Attacks requiring man-in-the-middle (MITM) or physical device access.
• Known vulnerable libraries without a working proof of concept.
• Clickjacking on non-sensitive action pages.
• Cross-site request forgery (CSRF) on unauthenticated or non-sensitive action forms.
• SSL/TLS configuration lacking best practices.
• Unauthorized data access or tampering.
• Defacement or alteration.
• Social engineering of WellHive personnel.
• Actions negatively affecting WellHive or its users (e.g., Spam, Brute Force).
• Content spoofing without HTML/CSS modification capabilities.
• Rate limiting/brute force issues on non-authentication endpoints.
• Content Security Policy gaps.
• Email best practice lapses (SPF/DKIM/DMARC).
• Vulnerabilities limited to outdated/unpatched browsers.
• Software version/banner identification errors.
• Public zero-days with patches <1 month old, handled case by case.
• Open redirect without demonstrated security impact.

Reporting Vulnerabilities

Submit potential vulnerabilities to https://hackerone.com/wellhive. WellHive will acknowledge receipt of your report within five business days.

Expectations for Reports

To help us triage and remediate potential findings, a good vulnerability report should conform to the below:

• Detailed Description: Explain the vulnerability, the location the vulnerability was discovered, and the potential impact of exploitation of the vulnerability .
• Reproducibility Details: Provide a detailed description of the steps needed to reproduce the vulnerability, supported by proof of concept scripts, screenshots, or videos.
• Unique: Include one vulnerability per report, unless part of an attack chain.

WellHive Security Team Commitment

Upon receipt of a vulnerability report, WellHive's security team will take the following steps:

• If you have provided your contact information, we will acknowledge receipt of the report within five business days.
• To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
• We will maintain an open dialogue to discuss issues.

We appreciate every researcher contributing to our security improvements at WellHive.

Questions

Questions regarding this policy may be sent to [email protected]. We also invite you to contact us with suggestions for improving this policy.