Wiz

Security Disclosures

If you believe you have found a valid vulnerability in a Wiz system or website please email your findings privately to security@wiz.io with a detailed description and a proof of concept in the form of a video or screenshots so that the Wiz team can attempt to reproduce. Verified and properly submitted vulnerabilities are eligible for our bugbounty program and rewards are paid based on assessed impact.

Responsible Disclosure Policy

Wiz encourages responsible reporting of any vulnerabilities that may be found in our site or applications. In the event a valid vulnerability is reported , Wiz will notify potentially impacted customers if they must take action to patch or otherwise remediate a vulnerability in advance of publicly disclosing the issue and potentially release a Common Vulnerability Exposures ( CVE )

Submissions are evaluated internally by the Wiz Security team and researchers will be contacted within a reasonable time frame. Please note that actions which affect the integrity or availability of targets are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all actions.  

Program Scope:

External endpoints:

  • app.wiz.io, assets.wiz.io, downloads.wiz.io, dpkg.wiz.io, rpm.wiz.io, tf.app.wiz.io, www.wiz.io

External tools:

  • Wiz VSCode Extension, Wiz Chrome Extension

Out of Scope:

auth.wiz.io, chaosdb.wiz.io, charts.wiz.io, docs.wiz.io, get.wiz.io, go.wiz.io, info.wiz.io, legal.wiz.io, partners.wiz.io, peach.wiz.io, player.wiz.io, registry.wiz.io, status.wiz.io, support.wiz.io, team.wiz.io, trust.wiz.io, whatsnew.wiz.io, zendesk1.wiz.io, zendesk2.wiz.io, zendesk3.wiz.io, zendesk4.wiz.io

Standard Exlcusions List:

  • Descriptive error messages (e.g. Stack Traces, application or server errors). 

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages. 

  • Fingerprinting / banner disclosure on common/public services. 

  • Disclosure of known public files or directories, (e.g. robots.txt). 

  • Clickjacking and issues only exploitable through clickjacking. 

  • CSRF on forms that are available to anonymous users (e.g. a contact form) 

  • Logout Cross-Site Request Forgery (logout CSRF). 

  • Presence of application or web browser 'autocomplete' or 'save password' functionality. 

  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies. 

  • Forgot Password page brute force and account lockout not enforced. 

  • OPTIONS HTTP method enabled 

  • Username / email enumeration e.g.

    • via Login Page error message

    • via Forgot Password error message 

  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS 

  • Missing HTTP security headers, for example OWASP's list

  • Rate limiting or brute-force issues on non-authentication endpoints.

  • Missing best practices in Content Security Policy. 

  • Attacks requiring MITM or physical access to a user's device. 

  • Previously known vulnerable libraries without a working Proof of Concept. 

  • Comma Separated Values (CSV) injection without demonstrating a vulnerability. 

  • Missing best practices in SSL/TLS configuration. 

  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.) 

  • Vulnerabilities only affecting users of outdated or unpatched browsers  

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors). 

  • Open redirect - unless an additional security impact can be demonstrated. 

  • Issues that require unlikely user interaction. 

  • Any activity that could lead to the disruption of our service (DoS).