At WeTransfer we take great pride and care to design our service so that everyone can use it easily, safely and securely.
Security researchers and the Internet community play an important role in keeping WeTransfer secure. If you believe you have found a vulnerability in our service, we encourage you to report this vulnerability in accordance with this Responsible Disclosure Policy so we can work together to ensure the safety and security of our service and users.
This policy explains how to report a vulnerability and how we will respond to such reports. We’ve made an effort to make this policy as easy and clear as possible, but do let us know if there are things you don’t understand. You can contact us at firstname.lastname@example.org.
If you believe you have discovered a security vulnerability in the WeTransfer service, please send an email to email@example.com with a thorough explanation of the (characteristics of the) vulnerability (Authentication/Authorisation, CSS, CSRF, XML, SQL, etc.). Please include information detailing how to reproduce the problem.
We aim to take action on your first report within 24 hours. Your report will routed to an investigator on our staff who will analyze and classify the vulnerability. The investigator may contact you directly to discuss further details and ensure they understand the report fully. You will receive a digitally signed confirmation of receipt of your report and how to contact your designated case handler to discuss the next steps. We will keep you updated on the progress during the process. If it is likely that the vulnerability has a larger impact on the ICT community than WeTransfer alone, we might also report the vulnerability to the National Cyber Security Center (NCSC, see www.nscs.nl).
We do not publish information about specific vulnerabilities or reports we have received under this responsible disclosure policy. However, at your request, we can provide a personal reference regarding disclosed vulnerabilities. We appreciate the opportunity to fix the problem before any details are published publically. In that light, we ask that you refrain from publishing public details about the vulnerability until we've fixed or mitigated the problem.
Anyone who is kind enough to report a significant vulnerability responsibly and follows the rules of this responsible disclosure policy, we will provide with WeTransfer memorabilia or a WeTransfer Plus account (with a value of $120). The reward may be based on the quality of the disclosure and nature of the vulnerability. Please feel free to submit your report as John Doe (anonymously) or under a pseudonym.
Although we appreciate your efforts, there are certain acts that do not count as a vulnerability that falls within the scope of this Responsible Disclosure Policy. This policy thus does not cover:
WeTransfer will, within reason, hold blameless anyone who in good faith penetrates our site, and in the process of exploring or experimenting, extracts a small amount of sensitive data, as long as that person promptly notifies WeTransfer and destroys any data collected.
If you follow the rules of this responsible disclosure policy and act in good faith, WeTransfer will not take legal action against you or ask law enforcement to start criminal investigations. Not acting in good faith includes, but is not limited to:
Legal action can be taken against disclosers of whom WeTransfer suspects that they did not act in good faith when penetrating the website or any related systems.
If you have any questions regarding this Responsible Disclosure Policy, please do not hesitate to contact us by sending an e-mail to firstname.lastname@example.org.