w3Develops Logo

Security Vulnerability Disclosure Policy

How to report security vulnerabilities to w3Develops.

Research Guidelines

Follow these guidelines when testing and reporting vulnerabilities:

Rules

  • Ensure that you are using the latest, stable, and updated versions of the Operating System and Web Browser(s) available to you on your machine.
  • Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
  • Perform testing only on our official platforms listed in scope. Do not test on third-party services that may be integrated with w3Develops.
  • Do not attempt to access or modify user data without permission other than your own. Stop immediately if you find sensitive user data.
  • Do not use automated tools that could cause service disruption or violate our terms of service.

Report Requirements

Your report should include:

  • Clear and detailed steps to reproduce the vulnerability.
  • Impact description - what could an attacker do?
  • Evidence - screenshots, code, or examples.
  • Environment - browser, OS, configuration.

Valid Reports:

  • Authentication Bypass
  • SQL injection exposing user data
  • XSS affecting multiple users
  • Remote code execution vulnerabilities

Invalid Reports:

  • SSL scanner warnings
  • Clickjacking on non-sensitive pages
  • Issues requiring local machine access
  • Vulnerabilities requiring admin privileges

What We Don't Accept

Automated Reports & "Beg Bounties"

  • Generic tool output without manual verification
  • SSL/DNS configuration warnings
  • Dependency alerts without proof of exploit
  • Subdomain enumeration lists

We treat low-effort reports as "beg bounties". These are reports that don't meet our quality standards and are not actionable.

Low-Impact Issues

  • Self-exploitation vulnerabilities (like installing a malicious extension)
  • Issues requiring extensive social engineering
  • Theoretical vulnerabilities without real impact
  • Problems only affecting outdated OS or browsers

Third-Party & Non-Security Issues

  • Vulnerabilities in services we don't control
  • Known upstream software issues
  • Regular bugs, feature requests & content violations
  • Physical access requirements

How to Report

Email your report to our security team. You can also send us a PGP-encrypted email using this form or our public key.

  • We will acknowledge the report, check if it's in scope, and let you know if we need more information.
  • We will analyze the report and may ask for more details for investigation.
  • We will fix confirmed issues and coordinate disclosure timing with you.
  • We will recognize valid reports in our Hall of Fame.

Timeline

  • Acknowledgement: Within 48-72 hours
  • Initial Assessment: Within 5-7 business days
  • Updates: During investigation as needed
  • Disclosure: Within 90 days maximum