Vulnerability Disclosure Policy

Wickr strives to build quality software that delivers on our security promises to Wickr users across all products.  We’ve put comprehensive processes in place to maximize our ability to test internally and regularly engage 3rd party security researchers in order to minimize the incidence of software “bugs,” particularly those related to security. In addition, Wickr has developed a Vulnerability Disclosure Policy to set customer expectations for how we disclose security-related defects, should they ever be discovered in production software.    

There are several ways in which we may discover vulnerabilities: bug bounty submissions, 3rd party testing, and Wickr’s own internal security testing.

Priorities

This policy is intended to balance two important priorities for Wickr: security of customer information and transparency. Keeping in mind that security and privacy of user information are key to all Wickr products, we are committed to being transparent about how we balance these priorities when determining when to disclose an issue and how much detail to provide.

Policy

  1. We will reference security-related fixes for prior versions of Wickr apps in release notes. References may include issue summaries and tracking information but will not include code, descriptions, attack steps or methodology that could be used against others.  
  2. We will notify users directly if we become aware of a vulnerability that puts their data at significant risk of compromise. Notifications may include issue summaries, tracking information, “work-arounds”, and expected timeline to remediation but will not include code, descriptions, attack steps or methodology that could be used against others.