Security & vulnerability disclosure
If you've found a vulnerability, tell us. We read every report from good-faith researchers and we acknowledge within 72 hours.
Scope
This policy covers the Wesprs website at wesprs.com, our API at api.wesprs.com, and the Wesprs iOS app. Issues in third-party services we link to, or in software we do not operate, are out of scope — report those to the party that runs them.
In scope are the usual suspects: authentication and session handling, access control, injection, our coarse-geo and ephemerality enforcement, the media metadata-stripping pipeline, and anything that could expose data we promise not to hold.
How to report
Email [email protected] with enough detail to reproduce the issue: the affected endpoint or screen, the steps, and the impact. A proof-of-concept helps. If you need to send sensitive details, ask us for a key and we will arrange an encrypted channel.
Our machine-readable contact details follow RFC 9116 and are published at wesprs.com/.well-known/security.txt.
What you can expect from us
We acknowledge a valid report within 72 hours. We will keep you updated as we triage, work on a fix, and verify it. We aim to remediate promptly and will tell you honestly if a fix is going to take time and why.
We practise coordinated disclosure: please give us a reasonable window to fix an issue before you publish, and we will credit you if you would like — or stay quiet if you prefer.
Safe harbour
If you make a good-faith effort to comply with this policy, we will treat your research as authorised. We will not pursue or support legal action against you for accidental, good-faith violations, and we will not report you to law enforcement for testing within this policy.
Good faith means: only test accounts and data you own or have permission to use; do not access, modify, or delete other people's data; do not run denial-of-service, spam, social-engineering, or physical attacks; stop as soon as you have confirmed a vulnerability and report it; and give us time to respond before disclosing. If you are unsure whether something is in bounds, ask first at [email protected].
No bounty yet
We do not run a paid bug-bounty programme at this stage, and we would rather say so plainly than imply a reward we are not offering. We genuinely value good-faith research, will credit you publicly with your consent, and may introduce a bounty later. Reporting a real issue helps protect people who trusted us with very little data on purpose.
Contact
Wesprs is operated by Digital Services LLC, 27, Takaishvili st., Batumi, Georgia, 6004.
Security reports: [email protected]. Data-protection matters: [email protected].
If a personal-data breach affects you, we follow the notification obligations described in our Privacy Policy.
- security · [email protected]
- dpo · [email protected]
- security.txt · wesprs.com/.well-known/security.txt