Responsible Disclosure Policy

Introduction

WeWork India takes security vulnerabilities and concerns seriously. We encourage the community to report possible vulnerabilities and incidents privately and responsibly.

If you are a security researcher/analyst and have discovered a security vulnerability in one of our services, platform/infrastructure or applications, we appreciate your help by disclosing it to us in a responsible manner. We will validate and fix the vulnerabilities that you designated in accordancewith our relevant policies.

WeWork India reserves all its legal rights in the event of any non-compliance to the applicable laws and regulations.

This program operates under the "Public Non-disclosure and Third Party Non-disclosure" mode by default. The same explicitly prohibits public disclosure of information and any dissemination to third parties in any form. There is strict prohibition on release of any information regarding vulnerabilities identified within this program to the public or third parties. Violation of this non-disclosure obligation will result in legal consequences and the responsible party shall be subject to legal penalties.

Confidentiality

All vulnerabilities submitted under this policy must remain confidential between the reporting party and WeWork. Public disclosure or sharing information with third parties is prohibited without explicit consent from WeWork India.

Eligibility to Participate

Participation is open to anyone adhering strictly to the outlined rules of engagement and eligibility criteria listed within this policy. Any violation of these rules may disqualify you from participation.

Rules of Engagement

Participants must adhere to the following rules

Avoid mass account creation for testing purposes.
Refrain from destructive automated testing that could intentionally damage WeWork systems.
Do not engage in social engineering attacks such as phishing, vishing, or smishing.
Do not attempt extortion in any form.
Ensure systems remain secure and are not left more vulnerable after testing.
Always respect the privacy of our members.
Act in good faith when researching and reporting vulnerabilities.
Maintain respectful interactions with the WeWork security team.
Avoid leaking, manipulating, or destroying user data, and only test accounts with explicit authorization.

Submit meaningful and actionable vulnerability reports.

Reporting

If you believe you have found a security issue/vulnerability in one of our services, systems, or applications then

Please inform us by submitting your disclosure to cybersecurity@wework.co.in along with your contact details and include the following information in your report:
- A summary of the vulnerability
- A proof of concept code, username,email ids, tools, commands, or scripts used.
- Videos and/or screenshots that would make it easier for us to reproduce it.
- When reporting a security vulnerability, please do so responsibly and provide:
- All communication with us should remain absolutely confidential. You must destroy all the artifacts mentioned above (code, screenshots, videos) after the vulnerability is resolved.

Eligibility and Out-of-Scope Vulnerabilities

Findings which are Critical, High and Medium are eligible for the program.

WeWork India has the right to evaluate the findings, severity based on the PoC shared and reviewed internally.

Hall of Fame eligibility are based on the finding's severity and impact.

The following categories are explicitly excluded from the program

Findings from automated tools and vulnerability scanners.
Issues on third-party sites unless directly impacting WeWork's main site or application.
Broken link hijacking scenarios.
Denial-of-service, rate-limiting, or brute-force issues outside authentication endpoints.
Any form of social engineering.
Spam-related issues.
Content spoofing and text injection without a demonstrated exploit.
Click-jacking or vulnerabilities only exploitable through click-jacking.
Exposure of publicly known files/directories (e.g., .htaccess, robots.txt).
Third-party vulnerabilities within 30 days of CVE published or official patch availability.
Misconfigured or missing security headers without exploitability.
Verbose server responses lacking exploit potential.
Software version disclosure without clear exploitability.
Lack of certificate pinning or HSTS configurations.
Weak SSL/TLS configurations, expired certificates, and cipher vulnerabilities.
Secure and HTTPOnly cookie flag issues.
Session tokens stored in local browser cache.
Weak or absent Captcha and rate-limiting implementations.
Tap-jacking and tab-nabbing issues.
SPF/DKIM/DMARC configuration issues.
Vulnerabilities requiring unlikely user actions or outdated software environments.
Self-inflicted cross-site scripting (Self-XSS).
Login/logout CSRF vulnerabilities.
File uploads lacking a demonstrable exploit.
Embedded third-party API keys or secrets in mobile apps without exploitability.
Multiple account creation for promotional benefit.
Attacks targeting corporate IT infrastructure.
Employee-targeted attacks, including phishing and physical security breaches.
Host header injection without clear exploitability.
Mobile vulnerabilities requiring root access or outdated OS versions.
Attacks necessitating MITM or physical device access.
CSV injection without exploit proof.
Open redirects lacking clear additional security impact.
Recently disclosed zero-day vulnerabilities with official patches available for under 30 days may be reviewed case-by-case.

Thank you

Thank you for responsibly disclosing vulnerabilities and concerns, we respect the security-researchers community and appreciate the efforts to disclose responsibly. At this point of time, WeWork India doesn’t operate a public bug bounty program and therefore doesn’t offer monetary rewards.

Hall of fame

WeWork India would like to express our gratitude to the following individuals or companies for responsibly disclosing the security flaws to us: Please refer to our Hall of Fame page for more details.