Responsible Disclosure

We treat security reports as a partnership. If you've found a vulnerability in the WAB protocol, SDK, server, or hosted infrastructure, please report it privately and we will respond, fix, and credit.

1. How to report

Emailsecurity@webagentbridge.com

PGP key/.well-known/pgp-key.txt

PGP fingerprintto be published

security.txt/.well-known/security.txt

Acknowledge SLA≤ 72 hours

Triage SLA≤ 7 days

Fix SLA (critical)≤ 14 days from triage

Please encrypt reports of critical issues with our PGP key. If PGP is impractical, send an unencrypted summary plus a request for a secure channel, and we will set one up within 24 hours.

2. Scope

In scope:

webagentbridge.com and any subdomain we operate.
The web-agent-bridge npm package and its SDK packages.
The WAB protocol itself — signature, discovery, ATP semantics, replay protection.
The browser SDK (wab.min.js) and the WordPress / Hydrogen / Elementor integrations we publish.

Out of scope:

Findings that require a compromised user device, browser extension, or stolen credentials with no further escalation.
Volumetric DoS without an amplification primitive.
Self-XSS, missing best-practice headers without a concrete exploit, or social engineering of staff.
Third-party services we depend on (Stripe, Cloudflare, registrars) — please report those upstream.

3. Safe harbor

Researchers acting in good faith under this policy are authorized to perform their work and will not be pursued under the CFAA, equivalents elsewhere, or our own terms of service, provided they:

Do not access, modify, or destroy data that is not theirs.
Do not run automated scanning at a rate that materially harms availability.
Do not extort, threaten, or publicly disclose before coordinated release.
Stop testing and contact us if they encounter sensitive data unexpectedly.

We will not pursue legal action against good-faith research that follows this policy.

4. Acknowledgement & rewards

Severity	Examples	Reward
Critical	Forged ATP receipts, full key extraction, complete account takeover, RCE on production	USD 1,000 – 5,000 + hall of fame
High	Replay bypass, idempotency bypass, scope escalation, signed-intent forgery, persistent auth bypass	USD 250 – 1,000 + hall of fame
Medium	Authenticated IDOR, partial scope leak, server-side input flaws without RCE	USD 75 – 250 + hall of fame
Low	Reflected info disclosure, missing rate limits with no clear abuse path	Hall of fame + swag

Rewards are paid at our discretion after the issue is verified, deduplicated, and fixed. First reporter of a unique issue is rewarded.

5. Process

Report — email security@webagentbridge.com with reproduction steps, affected version, and impact.
Acknowledge — we reply within 72 hours.
Triage — within 7 days we confirm severity and assign a tracking ID.
Remediate — fix and deploy. Critical within 14 days, others within 90 days.
Disclose — coordinated public advisory after the fix ships, crediting the reporter unless they prefer anonymity.

6. Hall of fame

Reporters who follow this policy are listed here (with permission). The list will appear after our first credited disclosure.

7. Document history

2026-05-25 — Initial publication.

Related: /security · /threat-model · /key-rotation