New customer offer: Start your 14-day free trial today
English
Ask Flowy
(781) 478-1800

Vulnerability Disclosure Policy

Last updated July 26, 2025

Webhizzy Solutions Vulnerability Disclosure Policy

At Webhizzy Solutions, the security of our systems and the data of our users is of utmost importance. We are committed to protecting our users and maintaining the integrity of our services. We appreciate the efforts of security researchers and the community in helping us identify and remediate vulnerabilities responsibly.

This policy outlines our guidelines for security researchers who wish to report potential vulnerabilities to us.

How to Report a Vulnerability

If you believe you have discovered a security vulnerability in any Webhizzy Solutions product, service, or website, please report it to us as quickly as possible.

Please submit your report via:

When submitting your report, please include:

  • Clear Description: A detailed description of the vulnerability, including its type (e.g., XSS, SQL Injection, broken authentication).
  • Scope: The specific URL(s) or system(s) affected.
  • Steps to Reproduce: Clear, step-by-step instructions on how to reproduce the vulnerability. This is crucial for us to understand and verify the issue.
  • Proof of Concept (PoC): Any relevant code, screenshots, or video recordings that demonstrate the vulnerability.
  • Impact: The potential impact of the vulnerability (e.g., data breach, service disruption, unauthorized access).
  • Your Contact Information (Optional): If you wish to be acknowledged, please include your name, organization, and a link to your public profile (e.g., LinkedIn, Twitter, personal website).
  • Encryption (Recommended): If you are sending sensitive information, please consider encrypting your email using our PGP key, available at https://webhizzy.in/pgp-key.txt.

Our Commitment to You

Upon receiving a vulnerability report, Webhizzy Solutions commits to:

  • Acknowledgement: We will acknowledge receipt of your report within [e.g., 3 business days].
  • Investigation: We will investigate the reported vulnerability promptly and thoroughly.
  • Communication: We will keep you informed of our progress in addressing the vulnerability. We may ask for additional information or clarification during this process.
  • Remediation: We will work diligently to fix validated vulnerabilities in a timely manner.
  • Disclosure: We will notify you once the vulnerability has been remediated. We encourage coordinated disclosure and prefer to fix the issue before public disclosure.
  • No Legal Action: We will not pursue legal action against security researchers who report vulnerabilities in good faith and adhere to this policy.

Guidelines for Responsible Disclosure

To ensure a smooth and effective disclosure process, we kindly request that researchers adhere to the following guidelines:

  • Do Not Publicly Disclose: Please do not disclose the vulnerability publicly until we have had a reasonable time to investigate and remediate the issue. We prefer a coordinated disclosure approach.
  • Minimize Impact: Do not exploit the vulnerability beyond what is necessary to prove its existence. Avoid accessing, modifying, or deleting any user data or system configurations.
  • Respect Privacy: Do not attempt to access or compromise user accounts or personal data.
  • Avoid Destructive Actions: Do not perform any actions that could negatively impact our services or users, such as denial-of-service attacks, spamming, or social engineering.
  • No Automated Scanners: Avoid using automated vulnerability scanners that could generate a high volume of traffic or cause service disruption. If you must use a scanner, please configure it to run at a low rate and notify us in advance.
  • Scope: Focus your research on our publicly accessible systems and applications. Do not attempt to gain access to internal networks or systems.
  • Legal Compliance: Ensure your research complies with all applicable laws and regulations.

Out of Scope

The following types of findings are generally considered out of scope for our vulnerability disclosure program:

  • Social Engineering: Any attempts to phish, trick, or coerce Webhizzy Solutions employees or users.
  • Physical Attacks: Attempts to gain physical access to Webhizzy Solutions offices or data centers.
  • Denial of Service (DoS/DDoS) Attacks: Any actions that disrupt our services.
  • Spamming: Any form of spamming or unsolicited bulk messaging.
  • Missing HTTP Security Headers: Unless a clear exploit can be demonstrated.
  • Missing spf, dkim, dmarc Records: Unless a clear exploit can be demonstrated.
  • Clickjacking on non-sensitive pages: Unless a clear exploit can be demonstrated.
  • Self-XSS: Cross-Site Scripting that only affects the user themselves and cannot be exploited by an attacker.
  • Descriptive Error Messages or Banners: Unless they disclose sensitive information.
  • Information Disclosure of Publicly Available Information: Such as server version numbers.
  • Weak Password Policies: Unless combined with another vulnerability leading to a compromise.

Acknowledgements

We believe in recognizing the valuable contributions of security researchers. If you report a valid vulnerability and adhere to this policy, we would be happy to acknowledge your contribution on our public Security Acknowledgements page, with your permission.

Thank you for helping us keep Webhizzy Solutions secure.

All rights reserved. Webhizzy 2021 -