Responsible disclosure
We build a security product, so we take reports about our own security seriously. If you have found a vulnerability, this page tells you how to tell us — and what we promise in return.
Scope
In scope — anything that affects the confidentiality, integrity, or availability of the Smart WAF service and the systems we operate:
- our edge nodes and the traffic-filtering data plane;
- the control-plane API and the customer portal;
- this website and its supporting infrastructure;
- tenant-isolation issues (any path that lets one customer reach another customer’s data).
Out of scope — reports we cannot act on or that describe expected behaviour:
- findings in third-party services we do not operate (report those to their owners);
- volumetric denial-of-service testing against our production edge — please do not run it;
- social engineering of our staff, customers, or partners;
- missing security headers or best-practice suggestions with no demonstrable impact.
Safe harbour
If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you for your research. Good faith means: you stay within scope, you do not access, modify, or delete data that is not yours beyond what is needed to demonstrate the issue, you do not degrade our service for others, and you give us a reasonable chance to fix the problem before disclosing it publicly.
We will not treat honest, careful research as an attack. If you are unsure whether something is in scope, ask us first.
What to expect
We are a small team and we will be honest about that rather than promise a service level we cannot guarantee:
- we aim to acknowledge your report within five business days;
- we will keep you updated as we investigate and confirm the issue;
- we will let you know when a fix ships, and we are happy to credit you if you would like that (and to keep you anonymous if you would not).
We do not currently run a paid bug-bounty programme. Recognition and a genuine thank-you are what we can offer today.
Contact
Email security@waf.smartis.site with a clear description, the steps to reproduce, and any proof-of-concept you can share. This is the same address published in our machine-readable /.well-known/security.txt.