Responsible Disclosure
Security researchers help protect the pet owners, walkers, and pets who rely on Wag! every day. If you've sent us a report — whether it made the Hall of Fame or not — we appreciate it. This policy is our commitment to making that relationship as clear and fair as possible.
Eligibility
- Must be 18 or older.
- Not a current Wag! employee, contractor, or vendor. Former employees/contractors are ineligible for 12 months after their engagement ends.
- Not located in a country subject to U.S. OFAC sanctions.
- Not currently holding unauthorized access to Wag! systems.
- Must not have previously violated this policy.
- Must test using a self-owned test account with a real email address. Include "test" in relevant profile fields.
Only the first reporter of a root-cause vulnerability receives Hall of Fame credit. Submissions sharing the same underlying issue count as one finding.
Researcher guidelines
Required of all researchers
- Don't compromise user privacy, degrade the service, disrupt production, or alter/destroy data.
- Stay within the in-scope assets below. If you're unsure, email us before testing.
- Keep findings confidential during the 90-day embargo period (or until we confirm the fix, whichever is sooner).
- Use only test accounts you own. If you accidentally encounter real user data, stop and disclose that in your report.
- Don't submit raw automated scanner output without manual validation.
- Don't book walks, use promo codes, or interact with real users or walkers as part of testing.
- Don't perform social engineering, phishing, or vishing of Wag! employees, contractors, or users.
- Don't share PoC material publicly until coordinated disclosure is complete.
Our commitments
No legal action
We won't pursue or support legal action against researchers acting in good faith under this policy.
72-hour response
We'll confirm receipt of your submission within 72 hours.
Kept in the loop
We'll keep you updated as your report moves through triage and remediation.
Hall of fame recognition
First valid reporter of a finding that triggers a code or config change earns a spot in our Hall of Fame.
Right to publish
After the embargo ends, you have the right to publish your findings — see Coordinated Disclosure below.
Privacy protection
We won't share your personal information without your consent, except as required by law.
In scope
Domains
- wagwalking.com
- pets.wagwalking.com
- compare.wagwalking.com
API
- prod-*-api.wagwalking.com
*matches any subdomain
Mobile apps
- Wag! app (iOS/Android)
- Wag! Walker app (iOS/Android)
Excluded test types
The following test types are excluded from scope in the interest of safety for our users, staff, and the internet at large.
- Physical security testing (office access, tailgating, hardware attacks).
- Social engineering, phishing, or vishing of any Wag! person or user.
- Systems not listed in the scope above
- Attacks requiring physical device access
- UI/UX bugs and spelling mistakes
- Network-level DoS / DDoS
- Findings affecting only third-party services outside Wag!'s control
Non-qualifying submission types
These won't earn Hall of Fame credit. Don't report them unless you can demonstrate a chained exploit with meaningful impact.
- Password/account recovery policies
- Missing SPF, DMARC, or DKIM records
- Spam reports
- Vulnerabilities only affecting outdated browsers or OS versions
- Clickjacking on static or public pages
- Missing security headers (CSP, X-Frame-Options, etc.)
- Descriptive error messages or stack traces
- HTTP 404s, banner disclosure, robots.txt
- CSRF on unauthenticated forms
- Autocomplete / save-password browser behaviour
- Missing Secure or HttpOnly flags on non-session cookies
- Weak or missing CAPTCHA
- Username enumeration via login or password reset
- OPTIONS / TRACE HTTP methods enabled
- Deprecated TLS versions (1.0/1.1) without demonstrated impact
- Missing X-Content-Type-Options header
- Self-XSS
- CSV / formula injection in data exports (no RCE on Wag! systems)
- Missing security.txt
- Rate limiting on non-sensitive, public endpoints
- Missing SameSite cookie attribute without demonstrated impact
- Host header injection without a demonstrated exploit (SSRF, cache poisoning, etc.)
- Open redirect without a demonstrated exploit chain
- Missing DNSSEC
Scoring
Points reflect the worst-case realistic impact of the vulnerability — exploitability, authentication requirements, data sensitivity, and PoC quality all factor in. We'll always explain our decision and give you a chance to provide more context before it's final.
| Severity | Examples | Points |
|---|---|---|
| Critical | RCE, command injection | 50,000 |
| High — System Access | Unauthorized access to internal Wag! apps | 20,000 |
| High — Data Access | SQLi, XXE, SSRF with internal data access | 20,000 |
| Medium — PII / Control | IDOR on PII, impersonation, actions on behalf of user | 6,000 |
| Medium — Account Takeover | OAuth flaws, session fixation, full account control | 6,000 |
| Medium — User Actions | Stored/reflected XSS, Android Intent abuse | 3,000 |
| Low | CSRF on state-changing actions, info leakage | 250–3,000 |
How to submit
Email security@wagwalking.com with the subject line "Responsible Disclosure".
What to include in your report
- Description of the vulnerability - what it is, where it lives, and what an attacker could do with it.
- Detailed, step-by-step reproduction instructions. Screenshots, screen recordings, and PoC scripts all help.
- Your name or handle as you'd like it to appear in the Hall of Fame.
Proof of concept
- Include step-by-step reproduction steps, screenshots, screen recordings, or exploit scripts.
- Don't post PoC material publicly (YouTube, Imgur, GitHub, Pastebin, etc.) before disclosure is complete.
- For video files over 50 MB: use password-protected Vimeo or a private Google Drive folder, and include credentials in your report.
- Redact or anonymize any real user data in your materials.
Coordinated disclosure
Once we've resolved your finding, you have the right to publish a writeup or add it to your portfolio. Here's how it works:
90-day embargo starts
The embargo begins from the date of your first report, or ends when we confirm the fix is deployed — whichever is sooner.
Request disclosure
After the embargo, email security@wagwalking.com to request disclosure. We'll respond within 14 calendar days. If we don't respond in time, you may publish without further permission.
If the fix is deployed
You may publish immediately on confirmation. For findings with broad impact, we may request one additional review window of up to 30 days.
If remediation is in progress
We may request one extension of up to 30 days. Only one extension per finding.
If we decide not to fix
You may publish 14 days after we notify you of that decision.
We ask (but don't require) that you share a draft 7 days before publishing so we can flag factual inaccuracies. This is not an approval process — we won't use it to delay or suppress your writeup.
Do not send
- PII belonging to real users — names, emails, phone numbers, location data, etc.
- Payment card or banking data.
- Credentials, tokens, or session data belonging to real users.
If you accidentally encounter real user data: stop, don't copy or retain it, and disclose this in your report.
Hall of fame
The first researcher to report a valid finding that triggers a code or config change earns a spot in our Hall of Fame, with your consent. The leaderboard reflects submissions from the past 3 years.
| Rank | Researcher | Points |
|---|---|---|
| 1 | Asish Agarwalla | 18,600 |
| 2 | Alex Moraga | 15,500 |
| 3 | Ramesh J | 10,000 |
| 4 | Vinod Tiwari | 6,000 |
| 4 | Joao Lucas Melo Brasio | 6,000 |
| 5 | lag3rl0f | 4,250 |
| 6 | Saurabh Sanmane | 3,000 |
| 6 | Sheikh Rishad | 3,000 |
| 6 | K.Buvanehvaran | 3,000 |
| 7 | Saddam Maniyar | 2,000 |
| 8 | Sunil Kande | 1,000 |
| 9 | Vrisha Karna | 500 |
| 9 | Mayuresh Atole | 500 |
| 9 | Ghulam Yaseen | 500 |
| 9 | Hasan Khan | 500 |
| 9 | Dhiren Kumar Pradhan | 500 |
| 9 | Yash Saxena | 500 |
| 9 | Zin Min Phyo | 500 |
| 9 | Gaurav Popalghat | 500 |
| 10 | Sanmarg Sandeep Paranjpe | 250 |