Wag! Top Dogs

Wag! Responsible Disclosure Program

Guidelines

We require that all researchers:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
• Perform research only within the scope set out below.
• Use the identified communication channels to report vulnerability information to us.
• Keep information about any vulnerabilities you’ve discovered confidential between yourself and Wag! until we’ve had 90 days to resolve the issue.
• Use test accounts with a real email address so that we can contact you if any issues arise. Denote the account by using the word “test” in several fields.
• Do not book walks in the system using promotional offers.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research.
• Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).
• Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

Scope

The following domains are considered in scope for this program:

• app.wagwalking.com
• prod-api.wagwalking.com
• prod-ops-api.wagwalking.com
• wagwalking.com

The following apps are considered in scope for this program:

• Wag! app (iOS & Android)
• Wag! Walker app (iOS & Android)

Any design or implementation issue that is reproducible and substantially affects the security of Wag! users is likely to be in scope for the program. Consider what an attack scenario would look like, and how an attacker might benefit? What are the consequences to the victim? The Google Bug Hunter University guide may be useful in considering whether an issue has security impact.

Excluded Submission Types

Any services hosted by 3rd party providers and services are strictly excluded from the scope.

In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from the scope:

• Findings from physical testing such as office access (e.g. open doors, tailgating)
• Findings derived primarily from social engineering (e.g. phishing, vishing)
• Findings from applications or systems not listed in the ‘Scope’ section
• Attacks requiring physical access to a user's device
• UI and UX bugs and spelling mistakes
• Network level Denial of Service (DoS/DDoS) vulnerabilities

Common “Non-qualifying” Submission Types

Some submission types do not qualify for because they have low security impact, and therefore do not trigger a code change. This section contains a listing of issues found to be commonly reproducible and reported but are not considered eligible for our Hall of Fame submissions. We strongly suggest you do not report these issues unless you can demonstrate a chained attack with higher impact.

• Password and account recovery policies, such as reset link expiration or password complexity
• Invalid or missing SPF (Sender Policy Framework) records or DMARC settings
• Reports of spam
• Bypass of URL malware detection
• Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
• Social engineering of Wag! staff or contractors
• Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• HTTP 404 codes/pages or other HTTP non-200 codes/pages
• Banner disclosure on common/public services
• Disclosure of known public files or directories, (e.g. robots.txt)
• Clickjacking and issues only exploitable through clickjacking
• CSRF on forms that are available to anonymous users
• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
• Lack of Secure and HTTPOnly cookie flags
• Weak Captcha / Captcha Bypass
• Username enumeration via Login Page error message
• Username enumeration via Forgot Password error message
• OPTIONS / TRACE HTTP method enabled
• SSL Attacks such as BEAST, BREACH, Renegotiation attack
• SSL Forward secrecy not enabled
• SSL Insecure cipher suites
• The Anti-MIME-Sniffing header X-Content-Type-Options
• Missing HTTP security headers, specifically (https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers)

Things we do not want to receive:

• Personally identifiable information (PII)
• Credit card holder data

Reporting

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@wagwalking.com. Please include the following details with your report:

• Description of the location and potential impact of the vulnerability.
• A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us).
• Your name/handle and a link for recognition in our Hall of Fame.
• We encourage Researchers to include a video or screenshot Proof-of-Concept in their submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (i.e. YouTube, Imgur, etc.). If the file exceeds 50MB, upload the file to a secure online service such as Vimeo, with a password.

Wag! Security Hall of Fame

If you are the first person to alert Wag! of a security issue and this triggers a code or configuration change, Wag! will post your name or alias on our Security Hall of Fame.

Scoring

Each submission’s score is based on the business impact, severity, and creativity of the issue.

Note that Wag! may choose to award higher points for unusually clever or severe vulnerabilities; or lower rewards for vulnerabilities that require significant or unusual user interaction.