Responsible Disclosure

Wave Mobile Money is committed to ensuring the security of our products and services. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

Authorization & Safe Harbor

If you make a good faith effort to comply with this statement during your security research, we will consider your research to be authorized, and Wave agrees not to pursue or support any legal action related to your research.

Guidelines

Under this policy, “research” means security activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Once you’ve established that a vulnerability exists or have identified exposed sensitive data you must stop your test, notify us immediately, and not disclose this data to anyone else.

Restrictions

The following test methods are not authorized:

• Denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
• Social engineering (including phishing) to our staff or contractors

Scope

This policy applies to the following systems and services:

• Wave primary website (https://www.wave.com)
• Web Applications
• Mobile & Merchant Applications

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@wave.com.

Reporting a vulnerability

We accept vulnerability reports via security@wave.com. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days.

If your report contains sensitive data, please use the public GPG key provided below to encrypt and email your findings to us.

Encryption: https://www.wave.com/security/wave.pgp.txt
Signature: https://www.wave.com/security/wave_security.txt.sig.txt

What we would like to see from you

• Describe the location the vulnerability was discovered and the potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).

What you can expect from us

• Within 3 business days, we will acknowledge that your report has been received.
• To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including any issues or challenges that may delay resolution.