Vulnerability Disclosure Policy
This Vulnerability Disclosure Policy was last updated in July 2021.
This Vulnerability Disclosure Policy (this “Policy”) applies to any vulnerabilities you are considering reporting to what3words Limited (registered office at Studio 301, Great Western Studios, 65 Alfred Road, London, W2 5EU and with registered company number: 08430008) (“what3words”, “we” or “us”).
We recommend reading this Policy fully before you report a vulnerability to ensure that you are always acting in compliance with it.
We take cyber security issues seriously. We value and appreciate security researchers who take the time and effort to constructively report security vulnerabilities according to this Policy. However, please note that we are not in a position to offer rewards (monetary or otherwise) for vulnerability disclosures.
Reporting a vulnerability
If you have discovered something you believe to be a security vulnerability relating to any part of what3words’ systems (e.g. what3words’ website, mobile applications and public API), please submit a vulnerability report by filling out the form available here.
In your submission, please 1) review the guidance on finding and reporting a vulnerability below, and 2) when reporting, include details of:
The place (e.g. website, page, app screen) where the vulnerability can be observed.
A brief description of the type of vulnerability.
Steps to reproduce – these should be a benign, non-destructive, proof of concept, wherever possible. This helps to ensure that the report can be triaged quickly and accurately. It also reduces the likelihood of duplicate reports, or malicious exploitation of some vulnerabilities, such as subdomain takeovers.
What to expect after you have reported a vulnerability
We request that you keep any communications regarding the vulnerability disclosed confidential.
Once we have received a vulnerability report in accordance with this Policy, we aim to (a) acknowledge your report within 3 working days of your report being received, (b) investigate and verify the vulnerability, (c) if verified, respond to your report within 5 working days of the report being received, and to (d) triage your report within 10 working days. We’ll also aim to keep you informed of our progress.
Priority for bug fixes or mitigations is assessed by looking at the impact, severity and exploit complexity within the context of our business. Vulnerability reports might take some time to triage or address while you are welcome to enquire on the status, you should avoid doing so more than once every 14 days, to allow our team to focus on reports that are received, as much as possible.
We will notify you when the reported vulnerability is resolved, or remediation or mitigation work is scheduled, and you may (at our discretion) be invited to confirm that the solution covers the vulnerability adequately.
Thank you for working with us through the above process, giving us a chance to improve our products and services, and better protect our users and customers.
Guidance on finding and reporting a vulnerability
You must NOT:
Break any applicable law or regulations.
Access unnecessary, excessive or significant amounts of data.
Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
Modify data in our systems or services.
Disrupt our services or systems.
Attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests.
Social engineer, phish or physically attack our staff or infrastructure.
Require financial or other compensation, or other conditions, in order to disclose any vulnerabilities (and we will not negotiate in response to duress or threats, such as holding us ransom by suggesting that you will publish or reveal details of the security vulnerability to the public, should we not respond and/or compensate you for disclosing).
Communicate any vulnerabilities or associated details other than as described in this Policy.
Share the security issue with us in detail.
Act in good faith to avoid privacy and copyright violations (for example, by not properly securing data retrieved from our systems or services or sharing or redistributing unauthorised copies of our code or proprietary data), or destruction of data.
Demonstrate that there would be a real impact to what3words, its users or its customers should the vulnerability reported be exploited by a malicious actor – the existence of a vulnerability does not necessarily demonstrate that such a potential impact exists (and theoretical impacts will not be reviewed or responded to).
Always comply with data protection rules and must not violate the privacy of any data that we hold. You must not, for example, share, redistribute or fail to properly secure data retrieved from the systems or services.
Securely delete all data retrieved during your research as soon as it is no longer required or within one (1) month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection laws).
Rewards, ‘bug bounty’ or compensation
We value and appreciate security researchers who take the time and effort to constructively report security vulnerabilities according to this Policy. However, please note that we are not in a position to offer rewards (monetary or otherwise) for vulnerability disclosures.
This Policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law or which might cause what3words to be in breach of any legal obligations.
Consistent with our approach prior to formalising this Policy, we will not take legal action against a security researcher who reports any security vulnerability on a what3words product or system where the researcher has acted in good faith, not breached copyright or other intellectual property laws, and acted in accordance with this Policy.