Vulnerability Disclosure Program

Introductory Remarks

Woodpecker is truly dedicated to protecting data safety and security. Our Vulnerability Disclosure Program is intended to minimize the impact that any security flaws have on our tool or users. Our Vulnerability Disclosure Program concerns web application available via https://app.woodpecker.co Service. In order to qualify to the Program, the vulnerability must exist in the latest public release (including officially released public betas) of the Software. You should remember that only security vulnerabilities will qualify. To ensure that your observations are properly reported you shall use only approved channels, namely you should report discovered vulnerability via email to [email protected] or directly to our Product Manager via email to [email protected].

Guidelines and Scope limitations

1. You cannot cause any harm, hinder application fluency or act against our Terms of Service.

2. Remember to provide a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during the discovery that will allow us to reproduce the vulnerability.

3. Do not intentionally access non-public Woodpecker data anymore than is necessary to demonstrate the vulnerability.

4. You shall be aware that you cannot compromise the privacy or safety of our customers and the operation of our services. Such activity will be treated as illegal.

5. You are obliged to comply with applicable laws and regulations.

6. You may not disclose any vulnerability without prior written consent from Woodpecker.

Activity considered to be out of scope

We accept only manual or semi-manual tests. All findings coming from automated tools or scripts will be considered as out of scope. Furthermore, all issues without clearly identified security impact, missing security headers, or descriptive error messages will be considered out of scope. Your findings should be supported by clear and precise documentation with no speculative information. All findings should have an indication of relevance and impact. We reserve our right not to act in case of findings with no real risk impact on our data integrity and security. All researches violating this Program terms, Terms of Service, Safety and Security and GDPR-related documentation as well as governing law shall be treated as acting in bad faith and in an illegal manner. We are not obliged to provide remuneration, fee or rewards for any vulnerability disclosure – such action remains in our full discretion.