Vulnerability Disclosure Policy

Wisest AB

Found a security issue in our systems? Thanks for helping us keep Wisest and our clients safe. Here's how to report it.

We don't run a paid bounty, but good-faith reports are welcome.

Contact: secops@wisest.se. We aim to acknowledge within 3 business days.

Reporting

Send reports to secops@wisest.se. A useful report covers the affected target, how to reproduce it, a working PoC, and the impact. Rough structure:

Title:    Stored XSS in customer portal search
Target:   https://app.wisest.se/search
Type:     Cross-site scripting (stored)
Steps:    1. Log in with a test account
          2. Submit a script payload in the search field
          3. Open the saved search; the script runs
PoC:      attached request / screenshot / short video
Impact:   session theft against any user who views the result

For sensitive findings, you can encrypt your report with our PGP key.

Scope

In scope

Out of scope

Scanning

Keep concurrency reasonable (rough guideline: ≤ 20 requests/sec per host) and back off if you see service degradation.

Findings we won't accept without a working PoC

Rules of engagement

Brute force & credential stuffing

Feel free to demonstrate a weakness (missing rate limiting, weak lockout policy) with a minimal PoC against your own test account. Don't run volume attacks against real user accounts or production.

Disclosure

Please keep findings confidential until 30 days after we confirm a fix is deployed, or 90 days after our acknowledgement, whichever comes first, unless we mutually agree otherwise.

Recognition

With your consent, we'll credit you publicly once the issue is fixed.

Safe harbor

Research conducted in good faith under this policy is authorized conduct, and we won't pursue civil or criminal action against you for it. This authorization extends to Wisest-owned systems only; we can't grant it for client environments.

Unsure if something's in bounds? Email secops@wisest.se before testing.