Security Disclosures

If you believe you have found a valid vulnerability in a Wiz system or website please email your findings to security@wiz.io with a detailed description and a proof of concept in the form of a video or screenshot. Submissions will be evaluated internally by the Wiz Security team and researchers will be contacted within 48-72 hours. Please note that actions which affect the integrity or availability of targets are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all actions.  

PROGRAM SCOPE

app.wiz.io, assets.wiz.io, downloads.wiz.io, dpkg.wiz.io, legal.wiz.io, rpm.wiz.io, tf.app.wiz.io

OUT OF SCOPE

auth.wiz.io, chaosdb.wiz.io, charts.wiz.io, docs.wiz.io, get.wiz.io, go.wiz.io, info.wiz.io, partners.wiz.io, peach.wiz.io, player.wiz.io, registry.wiz.io, status.wiz.io, support.wiz.io, team.wiz.io, trust.wiz.io, whatsnew.wiz.io, zendesk1.wiz.io, zendesk2.wiz.io, zendesk3.wiz.io, zendesk4.wiz.io

STANDARD EXCLUSIONS LIST

  • Descriptive error messages (e.g. Stack Traces, application or server errors). 

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages. 

  • Fingerprinting / banner disclosure on common/public services. 

  • Disclosure of known public files or directories, (e.g. robots.txt). 

  • Clickjacking and issues only exploitable through clickjacking. 

  • CSRF on forms that are available to anonymous users (e.g. a contact form) 

  • Logout Cross-Site Request Forgery (logout CSRF). 

  • Presence of application or web browser 'autocomplete' or 'save password' functionality. 

  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies. 

  • Forgot Password page brute force and account lockout not enforced. 

  • OPTIONS  HTTP method enabled 

  • Username / email enumeration e.g.

    • via Login Page error message

    • via Forgot Password error message 

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS 

  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.

    • Strict-Transport-Security

    • X-Frame-Options

    • X-XSS-Protection

    • X-Content-Type-Options

    • Content-Security-Policy

    • X-Content-Security-Policy

    • X-WebKit-CSP 

  • Rate limiting or brute-force issues on non-authentication endpoints.

  • Missing best practices in Content Security Policy. 

  • Attacks requiring MITM or physical access to a user's device. 

  • Previously known vulnerable libraries without a working Proof of Concept. 

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability. 

  • Missing best practices in SSL/TLS configuration. 

  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.) 

  • Vulnerabilities only affecting users of outdated or unpatched browsers  

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors). 

  • Open redirect - unless an additional security impact can be demonstrated. 

  • Issues that require unlikely user interaction. 

  • Any activity that could lead to the disruption of our service (DoS).