Responsible Disclosure Policy

At WaveHost, we take security seriously. We value the efforts of security researchers and the wider community in helping us maintain the security of our systems. This Responsible Disclosure Policy outlines how to report vulnerabilities and what you can expect from us.

1. Introduction

We believe that coordinated vulnerability disclosure is the most effective approach to address security issues. We encourage security researchers to report potential vulnerabilities to us directly, allowing us sufficient time to investigate, address, and patch the issue before public disclosure.

2. Reporting Guidelines

If you believe you've found a security vulnerability in our services, we encourage you to:

  • Email your findings to security@wavehost.com
  • Provide sufficient information to reproduce the vulnerability
  • Include your contact information for follow-up questions
  • Report the vulnerability as soon as possible after discovery
PGP Encryption

For sensitive reports, you can encrypt your message using our PGP key, which is available on our security page.

3. Information to Include

To help us understand and address the issue efficiently, please include:

  • A description of the vulnerability and potential impact
  • Step-by-step instructions to reproduce the issue
  • Affected URLs, parameters, and/or services
  • Any proof-of-concept code or screenshots
  • Your assessment of the severity and possible mitigations

4. Our Commitment

When you submit a vulnerability report, we will:

  • Acknowledge receipt of your report within 48 hours
  • Provide an initial assessment of the report within 5 business days
  • Keep you informed about our progress in resolving the issue
  • Work with you to understand and validate the issue
  • Take appropriate steps to address the vulnerability
  • Publicly acknowledge your contribution (with your permission)

5. Rules of Engagement

While researching potential security issues, we ask that you:

  • Do not access, modify, or delete data that does not belong to you
  • Do not attempt denial of service attacks
  • Do not impact other users or disrupt our services
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Do not share information about vulnerabilities with others until they've been resolved
  • Act in good faith and ethically

6. Scope

This policy applies to the following WaveHost systems and services:

  • WaveHost website (wavehost.com and its subdomains)
  • Customer dashboard and control panel
  • WaveHost API services
  • Billing and payment systems
  • Management infrastructure for our hosting services
Out of Scope

Customer applications and content hosted on our infrastructure are not in scope unless they directly impact the security of our systems. Please contact the application owner for vulnerabilities in customer applications.

7. Legal Protection

We value security research conducted under this policy and will not pursue legal action against individuals who:

  • Make a good faith effort to comply with this policy
  • Avoid intentional harm to us or our customers
  • Work with us to resolve vulnerabilities before public disclosure

8. Acknowledgment

With your permission, we'd like to acknowledge your contribution to our security. We may include your name or handle in a security acknowledgments page, security advisories, or blog posts related to the vulnerability you discovered.

Last updated: April, 2025