WisdomTree, Inc.

#WISDOMTREE BUG BOUNTY PROGRAM POLICY

#Updates: February 2026: Updated Bounty Table

WisdomTree, Inc. and its subsidiaries (“WisdomTree”) takes very seriously and prioritizes the security of our customers data, products and services. If you have information about or discover a site or product vulnerability, please notify us using the guidelines below.

By participating in the WisdomTree Bug Bounty Program (the “Program”) you agree to all of the terms and conditions set forth in this policy. We reserve the right to make changes to the Program, including the terms and conditions thereto, at any time and for any reason. We look forward to working with you to find security vulnerabilities or bugs in our mobile phone application, WisdomTree Prime™. Detection and resolution of such security bugs or vulnerabilities will help keep our business and customers safe.

For testing purposes the applications can be found in both the IOS and Android play stores. If you have any questions about the program you can reach out to [email protected]

#WISDOMTREE BUG BOUNTY PROGRAM

Please note that your participation in the Program is voluntary and subject to the terms and conditions set forth in this policy (“Program Terms”). Your continued participation in the Program after any changes to the Program Terms become effective will constitute your acceptance of the changes and your agreement to be legally bound by such modifications or amendments. By submitting a Vulnerability Report to WisdomTree, you acknowledge that you have read and agreed to these Program Terms.

A “Vulnerability Report” means bug reports or other vulnerability information, in text, graphics, image, software, works of authorship of any kind, and information or other material that you provide or otherwise make available through the HackerOne Platform to WisdomTree resulting from your participation in the Program.

These Program Terms supplement the terms of the WisdomTree Prime™ User Agreement, any other agreement in which you have entered into with WisdomTree (collectively, “WisdomTree Agreements”), HackerOne’s Finder Terms and Conditions, and HackerOne’s disclosure guidelines, to the extent applicable. The terms of those WisdomTree Agreements will apply to your use of, and participation in, the Program as if fully set forth herein. If any inconsistency exists between the terms of the WisdomTree Agreements and these Program Terms, these Program Terms will control, but only with regard to the Program.

To encourage the submission of Vulnerability Reports, WisdomTree commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the WisdomTree Agreements, and does not otherwise violate applicable law or regulation, WisdomTree will not bring a private action against you or refer such matter for public inquiry. As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability. Additional Program Rules are set forth below. Disclosure

By participating in this Program, you agree not to publicly or privately disclose the contents of any Vulnerability Report submitted to WisdomTree, your findings, your communications with WisdomTree related to your participation in the Program, or any facts you have learned about WisdomTree in the course of your participation in the Program to any third parties without WisdomTree’s approval. In addition, you are required to follow HackerOne’s disclosure guidelines and Finder Terms and Conditions.

#Eligibility to Participate

• Participants must not be a resident of any U.S. embargoed jurisdiction, including but not limited to, Iran, North Korea, Cuba, the Crimea region, and Syria. By participating in the Program, you represent and warrant that you are not located in any such country. • Participants must not be included on the U.S. Treasury Department’s list of Specifically Designated Nationals or the U.S. Department of Commerce Denied Persons List or Entity List. By participating in the Program, you represent and warrant that you are on any such list. • Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to our Program. • Not be employed by WisdomTree or any of its affiliates or an immediate family member of a person employed by WisdomTree or any of its affiliates.

Those who meet the eligibility requirements above and discover a potential security vulnerability or bug within the WisdomTree Prime mobile app may submit a Vulnerability Report to WisdomTree.

#Program Rules

• Do not destroy, alter, leak, or manipulate any data. • Social engineering (e.g., phishing, vishing, smishing) is strictly prohibited. • Do not collect any personally identifiable information, authentication information, bank or credit card information from our users or customers. • Do not inappropriately store WisdomTree information in public locations. • Do not attempt to elevate privileges or explore a system beyond the minimum necessary to prove access or attempt to pivot in any way. • Do not publicly or privately disclose any vulnerabilities, bugs or Vulnerability Reports belonging to WisdomTree – existing or remediated – to anyone other than WisdomTree and HackerOne. • Your testing must not violate any applicable laws or regulations. • You must not degrade, interrupt, harm or deny services to our users or customers. • You must not access non-public information without authorization. • You must not infringe on WisdomTree’s intellectual property, which includes but is not limited to the WisdomTree Prime mobile application. • By submitting a Vulnerability Report, you grant WisdomTree a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose. You further agree to waive all claims, including breach of contract or implied-in-fact contract, arising out of your submission. • Whether to provide a payment for a Vulnerability Report and the amount of such payment is entirely at our discretion. • You are required to submit Vulnerability Reports through the HackerOne platform to WisdomTree. • Multiple vulnerabilities caused by one underlying issue will be awarded one reward. • Vulnerability Reports must be reasonably detailed with reproducible steps. If the Vulnerability Report is not detailed enough to reproduce the issue in WisdomTree’s sole discretion, the issue may not be eligible for a reward.

Please note that a violation of any of these rules, as determined in WisdomTree’s sole discretion, may disqualify you from receiving a reward and/or prohibit your participation in the Program.

#Submission Requirements

• All Vulnerability Reports must be filed through the HackerOne platform. • Vulnerability reports must meet all of HackerOne’s requirements. • https://docs.hackerone.com/programs/submit-report-form.html

#Submission Review Process

Once you submit a Vulnerability Report to WisdomTree for review in accordance with the submission requirements and Program Rules described above, WisdomTree will review the submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your submission, as well as on the number of submissions we receive. WisdomTree retains sole discretion in determining which submissions are eligible for a reward. If we receive multiple Vulnerability Reports for the same issue from different parties, the reward will be granted to the first eligible submission. If a duplicate Vulnerability Report provides new information that was previously unknown to WisdomTree, we may aware a differential to the person submitting the duplicate Vulnerability Report. WisdomTree may also reopen and reward any Vulnerability Report mistakenly closed as invalid if we later receive and reward the same security bug or vulnerability by a different party. In such situations, we may pay both parties.

#Response Targets

WisdomTree will on a best efforts basis meeting the following SLAs for hackers participating in our Program:

• First Response - 2 days
• Time to Triage - 10 days
• Time to Bounty - 14 days
• Time to Resolution - Depends on severity and complexity

We will try to keep you informed about our progress throughout the process.

#Reward Eligibility

To qualify for a reward under this Program, you must:

• Send a clear textual vulnerability description of the bug along with the steps to reproduce the vulnerability. • Include attachments such as screenshots and proof of concept code as necessary. A clear description and proof of concept helps you provide that the security bug or vulnerability is legitimate and makes the reward process more efficient. • Be the first to report a specific vulnerability. • Disclose the vulnerability report directly and exclusively to us. Please note that you are prohibited from disclosing vulnerabilities to third parties, including but not limited to vulnerability brokers or consultants.

#Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and WisdomTree will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

#Confidentiality

Any information you receive, collect or otherwise obtain from WisdomTree, our services, or any of our members, employees or agents in connection with the Program (whether after or before you participate in the Program, notably as a result of you finding and/or investigating a security bug or vulnerability in our in-scope applications or infrastructure) (“Confidential Information”) must be kept confidential, only used in connection with the Program and not disclosed to any third party. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your participation in the Program or any report submission related thereto.

By participating the Program, you represent and warrant that you have not used and will not use Confidential Information for any purpose other than in connection with the Program and that you have not shared and will not share such Confidential Information with any third party.

WisdomTree reserves the right to request from you, and you agree to abide by our request, to securely and irreversibly delete any data related to any report submission, including without limitation, any data about WisdomTree, our services, or any of our members, employees or agents. Additionally, you agree to securely and irreversibly delete any data related to a report submission upon it no longer being reasonably necessary to retain for the purposes of conveying the impact or scope of the reported issue, after verifying with WisdomTree that it is no longer necessary, and/or if the report submission is closed, regardless of outcome.

#Privacy

To protect your privacy, we will not, unless otherwise required to comply with applicable law or regulation, or to address a violation of this policy:

• Share your personally identifiable information with third parties • Share your research without your permission • Share your participation without your permission

If you have any questions regarding our Program, please contact us at [email protected].