Responsible Disclosure Policy
WeWork India takes security vulnerabilities and concerns seriously. We encourage the community to report possible vulnerabilities and incidents privately and responsibly.
If you are a security researcher/analyst and have discovered a security vulnerability in one of our services, platform/infrastructure or applications, we appreciate your help by disclosing it to us in a responsible manner. We will validate and fix the vulnerabilities that you designated in accordance
with our relevant policies.
WeWork India reserves all its legal rights in the event of any non-compliance to the applicable laws and regulations.
This program operates under the "Public Non-disclosure and Third Party Non-disclosure" mode by default. The same explicitly prohibits public disclosure of information and any dissemination to third parties in any form. There is strict prohibition on release of any information regarding vulnerabilities identified within this program to the public or third parties. Violation of this non-disclosure obligation will result in legal consequences and the responsible party shall be subject to legal penalties.
Responsible Disclosure Process
Throughout the reporting process, we will strive to keep all information confidential and to work with the disclosing entity to make sure we understand the issue and address it properly.
We ask that:
- Take responsibility and act with extreme care and caution.
- While investigating the matter, only use methods or techniques that are compliant with the law and necessary practices in order to find or demonstrate the weaknesses without limiting
the generality of the foregoing.
- In any event, please refrain from the following:
- Do not use weaknesses/vulnerabilities you discover for purposes other than your own investigation.
- Do not use social engineering techniques to gain access to a system.
- Do not install any back doors – not even to demonstrate the vulnerability of a system. Back doors will weaken the system’s security.
- Do not alter or delete any information in the system or application. If you need to copy information for your investigation, never copy more than you need. If one record is sufficient, do not go any further.
- Do not alter the system in any way.
- Do not share access or details of any vulnerable system with others.
- Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.
If you believe you have found a security issue/vulnerability in one of our services, systems, or applications:
- If you are a WeWork Member or an independent researcher/analyst; primarily, please inform us through firstname.lastname@example.org along with your contact details and include the following information in your report:
- When reporting a security vulnerability, please do so responsibly and provide:
- A summary of the vulnerability
- A proof of concept code, tools, commands, or scripts used.
- Videos and/or screenshots that would make it easier for us to reproduce it.
- All communication with us should remain absolutely confidential. You must destroy all the artifacts mentioned above (code, screenshots, videos) after the vulnerability is resolved.
- Examples of vulnerabilities may include:
- OWASP Top 10 vulnerability categories
- Authentication flaws
- Circumventing of the platform and/or privacy permissions
- Privilege escalations
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-Side request forgery (XSRF)
- Injection Attacks (SQL, XML, JSON, etc.)
- Business logic by-pass
- Arbitrary redirect
- Server-side code execution (RCE)
Below is a non-exhaustive list of examples that are not considered valid issues:
- Best practices configurations / policies (i.e. DMARC, SPF Records, etc.)
- A POC that is dependent on executing a man-in-the-middle (MITM) attack.
- Email spoofing.
- Clickjacking or similar techniques.
Please note, these are just a few common examples. WeWork India keeps the right to determine what is considered a valid submission.
Points to Keep in Mind
- Do not put any customer or WeWork India data at risk, or degrade any of our system’s performance.
- If your actions are intrusive or an attack on our system, we may act against the same including activities such as reporting them to law enforcement bodies/agencies.
- WeWork India reserves its right to initiate legal action against any person and/or report to relevant authorities of such a person who conducts any tests or investigations which are prohibitive or not in compliance with law or not as per this Policy
Thank you for responsibly disclosing vulnerabilities and concerns, we respect the security-researchers community and appreciate the efforts to disclose responsibly. At this point of time, WeWork India doesn’t operate a public bug bounty program and therefore doesn’t offer monetary rewards.
Hall of fame
WeWork India would like to express our gratitude to the following individuals or companies for responsibly disclosing the security flaws to us: Please refer to our Hall of Fame page for more details.