Responsible Disclosure Policy

This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.

The details within your request form will be submitted to ResponsibleDisclosure.com (operated by an independent third party, Synack). If you have reported an issue determined to be within program scope and to be a valid security issue, ResponsibleDisclosure.com will validate your finding. This process is managed exclusively by ResponsibleDisclosure.com through their platform, accordingly you must accept the ResponsibleDisclosure.com terms of service if you wish to proceed. All queries are to be directed to ResponsibleDisclosure.com and managed exclusively through the ResponsibleDisclosure.com online portal.

Legal

Wawa reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time.

Typical Vulnerabilities Accepted

• OWASP Top 10 vulnerability categories
• Other vulnerabilities with demonstrated impact

Typical Out of Scope

• Theoretical vulnerabilities
• Informational disclosure of non-sensitive data
• Low impact session management issues
• Self XSS (user defined payload)

For a full list of program scope please visit the Responsible Disclosure details page.

Responsible Disclosure Guidelines

• Adhere to all legal terms and conditions outlined at responsibledisclosure.com
• Work directly with ResponsibleDisclosure.com on vulnerability submissions
• Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
• Do not engage in disruptive testing like DoS, spam, pyramid schemes, or deploy or use any other malicious software or technology or engage in any action that could impact the confidentiality, integrity or availability of information and systems
• Do not engage in social engineering or phishing of customers or employees
• Do not access, download, or modify data residing in an account that does not belong to you, you may, however, investigate or target vulnerabilities against your own test accounts. Testing must not disrupt or compromise any data or data access that is not yours·
• Do not access infrastructure.
• Do not test the physical security of Wawa’s facilities, employees, equipment, etc.
• Do not attack, in any way, our end users, or engage in trade of stolen user credentials.
• Do not perform automated/scripted testing designed to spam the intake webforms, especially "Contact Us" forms that are designed for customers to contact our support team.
• Do not request compensation for time and materials or vulnerabilities discovered
• You agree that:
• You’ve obtained the vulnerabilities in good faith and in an ethical manner;
• You will not engage in any illegal or unethical activities exploiting the vulnerabilities to Wawa’s harm; and
• You comply with all applicable laws and regulations, and there is no other legal prohibition that prevents you from performing the security research under this policy.