At Wandera we believe that our products should be safe for all of our customers. This page contains information for security researchers interested in responsibly reporting security vulnerabilities to the Wandera security team.

Reporting a Vulnerability

If you believe you’ve found a security vulnerability on or within a Wandera product or service, we ask that you inform us as quickly as possible by emailing disclosure@wandera.com. We will work to review reports and respond in a timely manner.

To help us fix issues faster please follow these policies when submitting a report:

  • Keep all reports private and do not make any public announcements until we have resolved the issue.
  • Provide Wandera with full details of any discovered issue.
  • Never purposely interfere with other users’ service.
  • Do not attempt to access or modify the data of other users.
  • Act in good faith towards our users’ privacy and data during your disclosure.

Out of Scope

Please note that you are expected to engage in security research responsibly, excessive exfiltration or downloading of Wandera data, or demanding payment in return for destruction of Wandera data, will be considered outside of the scope of responsible disclosure, and Wandera will reserve all of its rights, remedies, and actions to protect itself and its users.

The following vulnerability categories are considered out of scope for vulnerability hunting and should be avoided by researchers.

  • Denial of Service (DoS) – Either through network traffic, resources exhaustion or others
  • User enumeration
  • Issues only present in old browsers/old plugins/end-of-life software browsers
  • Phishing or social engineering of Wandera employees, users or clients
  • Systems or issues that relate to Third-Party technology used by Wandera
  • Disclosure of known public files and other information disclosures that are not a material risk (e.g.: robots.txt)
  • Any attack or vulnerability that hinges on a user’s endpoint first being compromised

If you discover a publicly exposed password or key, you should not use the key to test the extent of access it grants or to download or exfiltrate data in order to prove it is an active key. Similarly, if you discover a successful SQL injection, you are expected not to exploit the vulnerability beyond any initial steps needed to demonstrate your proof-of-concept.