The ww5 Company is committed to maintaining the safety and security of our systems and our customers’ information. We encourage earnest, responsible reporting of potential security vulnerabilities in any product, system, or asset made by or belonging to ww5. Before reporting, please review our submission process, including our guidelines for responsible disclosure and coordination.

Security Vulnerability Submission Process

If you believe you have found a vulnerability in a ww5 product, system, or asset, please submit the vulnerability information to ww5 through an encrypted email to VulnerabilityDisclosure. Encrypt your file using our public ww5 PGP/GPG public key.

To enable ww5 to investigate and remedy the potential vulnerability, please report it as soon as possible after discovering it and provide a detailed summary of the vulnerability, including the following if known:

• A description of the finding and how it was discovered
• The product(s), system(s), or asset(s) affected
• Reproduction instructions to enable ww5 to validate the vulnerability (e.g., actions and results)

Your contact information and PGP key. Personal data ww5 receives in connection with your submission will be retained and protected in accordance with the company’s privacy policies and any applicable laws.

A ww5 representative will acknowledge receipt as soon as possible, typically within 3 business days.

Submit any vulnerability information in full accordance with the following guidelines:

• Do not engage in any activity that can potentially cause harm to ww5, our customers, our suppliers, or our employees.
• Do not engage in any activity that can potentially disrupt or degrade ww5 products, systems or assets.
• Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) ww5 data, assets or systems reside, (ii) ww5 data traffic is routed or (iii) the researcher is conducting research activity.
• Do not engage in extortion, threats, or other tactics designed to elicit a response under duress. ww5 will not respond to submissions made under threat of public disclosure, exposure of data, or withholding vulnerability information.
• Do not store, share, compromise or destroy data on ww5 systems. If Personally Identifiable Information (PII), proprietary or sensitive data is encountered, you should immediately halt your activity and contact ww5.
• Provide ww5 reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.

Safe Harbor & Recognition

We consider activities conducted consistent with this policy to constitute authorized access under anti-hacking laws. To the extent your activities are inconsistent with certain ww5 terms and conditions, we waive those restrictions for the limited purpose of permitting security research under this policy. ww5 will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.

There is no monetary reward for the disclosure program at this time. However, we understand the hard work that goes into security research, and to show our appreciation for researchers who help keep our systems secure, we have launched a recognition program for responsibly disclosed and validated vulnerabilities. If you are the first to disclose a qualifying vulnerability, we will, with your permission, credit your discovery by publishing your name in ww5’s Security Hall of Fame. The inclusion on the Hall of Fame does not imply agreement with all the analysis performed as other factors may be in place to reduce risk. Whether and when to recognize a disclosure is entirely at our discretion, and ww5 reserves the right to cancel the recognition program at any time.

Security Hall of Fame:

Argus Cybersecurity – Rubi Arbel and Daniel Rezvani

Kestrel W. Carlough – Embry-Riddle Aeronautical University

Matthew G. Wilde – Southeast Missouri State University

Pen Test Partners – Alex Lomas

Parth Narula – ScriptJacker