As a global leader in media as well as SaaS for publishing, The Washington Post embraces responsible software development norms. To support a healthy internet ecology, we are sharing our Vulnerability Disclosure Policy. This policy describes the submission process for security researchers wanting to share their findings with our engineering teams.
Vulnerability Disclosure Policy
- To maintain confidentiality and exclusivity in the disclosure and remediation process
- To strive to validate and remediate all serious findings in a timely manner
- To respond clearly whenever remediation or validation efforts may be delayed
- As we promise confidentiality, we ask that researchers do the same. Please do not disclose information about shared findings without written permission from our team.
- Provide detailed and clear reproduction steps (proof of concept) when sharing findings, so we may validate them in a timely manner.
- Save time by paying close attention to the out-of-scope section below.
- Include an email address with the submission, so we can reach out for technical clarifications and follow-up.
- Testing the physical security of our offices, employees, or equipment
- Any non-web attacks such as social engineering or phishing
- DoS/DDoS, or any other testing that may impact the operation of our systems
- App or network scan reports, unvalidated test results, or “theoretical” findings
- Access to, or modification of, any account that does not belong to the researcher
- Testing which results in form or email spam, or unsolicited messages or alerts
- Testing third party SaaS apps or services, except self-host, IaaS, or CDN assets
- Defacing any assets, or doing anything that may result in brand damage
- BOLAs/IDORs, OWASP API Top 10, multi-stage logic flaws, account enumerations and iteration flaws, XML injections, auth problems, cloud data leakages, critical software version flaws, provable RFIs/LFIs, upload exploits, WAF bypasses.