Skip to content
Wesprs

Security & vulnerability disclosure

If you've found a vulnerability, tell us. We read every report from good-faith researchers and we acknowledge within 72 hours.

Scope

This policy covers the Wesprs website at wesprs.com, our API at api.wesprs.com, and the Wesprs iOS app. Issues in third-party services we link to, or in software we do not operate, are out of scope — report those to the party that runs them.

In scope are the usual suspects: authentication and session handling, access control, injection, our coarse-geo and ephemerality enforcement, the media metadata-stripping pipeline, and anything that could expose data we promise not to hold.

How to report

Email [email protected] with enough detail to reproduce the issue: the affected endpoint or screen, the steps, and the impact. A proof-of-concept helps. If you need to send sensitive details, ask us for a key and we will arrange an encrypted channel.

Our machine-readable contact details follow RFC 9116 and are published at wesprs.com/.well-known/security.txt.

What you can expect from us

We acknowledge a valid report within 72 hours. We will keep you updated as we triage, work on a fix, and verify it. We aim to remediate promptly and will tell you honestly if a fix is going to take time and why.

We practise coordinated disclosure: please give us a reasonable window to fix an issue before you publish, and we will credit you if you would like — or stay quiet if you prefer.

Safe harbour

If you make a good-faith effort to comply with this policy, we will treat your research as authorised. We will not pursue or support legal action against you for accidental, good-faith violations, and we will not report you to law enforcement for testing within this policy.

Good faith means: only test accounts and data you own or have permission to use; do not access, modify, or delete other people's data; do not run denial-of-service, spam, social-engineering, or physical attacks; stop as soon as you have confirmed a vulnerability and report it; and give us time to respond before disclosing. If you are unsure whether something is in bounds, ask first at [email protected].

No bounty yet

We do not run a paid bug-bounty programme at this stage, and we would rather say so plainly than imply a reward we are not offering. We genuinely value good-faith research, will credit you publicly with your consent, and may introduce a bounty later. Reporting a real issue helps protect people who trusted us with very little data on purpose.

Contact

Wesprs is operated by Digital Services LLC, 27, Takaishvili st., Batumi, Georgia, 6004.

Security reports: [email protected]. Data-protection matters: [email protected].

If a personal-data breach affects you, we follow the notification obligations described in our Privacy Policy.