Report privately
Email security@wakeonwan.com first. Don't open a public issue and don't post on social media until we've agreed on a disclosure timeline.
§ Security
Responsible disclosure.
Wake on WAN is in early access. Formal bug bounties and SOC2 audits are on the roadmap — a working disclosure channel is here today.
REPORT TO
→ security@wakeonwan.com Include reproduction steps, affected URLs or commits, and the earliest date you observed the issue. A PGP key is on the roadmap.
§ In scope
- wakeonwan.com and staging.wakeonwan.com
- The control-plane API and dashboard
- The Wake on WAN agent binary and its update channel
- Authentication, session handling, and workspace/invite flows
§ Out of scope
- Social-engineering attempts against team members
- Denial-of-service testing against production
- Automated scanner output without a concrete proof-of-concept
- Third-party services we don't operate (Stripe, Cloudflare, SurrealDB Cloud)
§ Ground rules
Good-faith testing only
No data destruction, no lateral movement, no access to accounts other than your own test accounts. Stop as soon as you have enough to prove the bug.
Safe harbor
If you follow this policy, we won't pursue legal action and we'll work with you in good faith. We're in early access — there's no bounty program yet, but we'll credit your report in release notes if you want.
Response window
We try to acknowledge reports within two business days and aim to have triage and a fix plan within seven. We'll keep you updated until the issue is closed.