Security & Responsible Disclosure

Overview

FeelWooh is committed to maintaining the security and integrity of its platform. We value the contributions of security researchers and encourage responsible disclosure of potential vulnerabilities.

This policy outlines how to report security issues and the standards we expect from those engaging in security research involving our platform.

Reporting a Vulnerability

If you identify a potential security issue, please report it responsibly by providing:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Proof-of-concept (if applicable)
  • The affected URL(s) or system component(s)
  • Your contact information

Reports should be submitted via our official Contact page.

Responsible Disclosure Guidelines

We ask that all researchers:

  • Act in good faith and prioritize user safety and privacy
  • Avoid exploiting vulnerabilities beyond what is necessary to demonstrate their existence
  • Do not access, modify, or store data that does not belong to you
  • Do not attempt to disrupt, degrade, or compromise platform availability
  • Provide us reasonable time to investigate and resolve issues before public disclosure

Safe Harbor

We will not pursue legal action against individuals who discover and report vulnerabilities in good faith and in accordance with this policy.

This safe harbor applies only to activities that:

  • Respect user privacy
  • Avoid service disruption
  • Do not involve unauthorized data access or misuse

Scope of Testing

In Scope:

  • Publicly accessible pages and features of FeelWooh
  • Security vulnerabilities related to authentication, access control, or data exposure

Out of Scope:

  • Third-party services, integrations, or APIs (including those provided by Google)
  • Issues requiring physical access or social engineering
  • Denial-of-service (DoS/DDoS) testing
  • Automated scanning that impacts performance
  • Any attempt to access another user’s data

Prohibited Activities

The following actions are strictly prohibited:

  • Accessing or attempting to access data belonging to other users
  • Modifying, deleting, or exfiltrating data
  • Performing brute force attacks or credential stuffing
  • Conducting phishing or social engineering attacks
  • Exploiting vulnerabilities for personal gain

Data Protection & Privacy

Under no circumstances should researchers access, collect, or store personal or sensitive data.

If such data is inadvertently accessed, it must be:

  • Immediately reported
  • Not disclosed or retained
  • Securely deleted

Response & Handling Process

We aim to:

  • Acknowledge receipt of reports within a reasonable timeframe
  • Investigate and validate reported issues
  • Take appropriate action based on severity
  • Keep communication open with the reporting party where possible

Resolution timelines may vary depending on complexity and impact.

No Bug Bounty Program

FeelWooh currently does not offer monetary rewards for vulnerability disclosures.

However, we value meaningful contributions and may, at our discretion, acknowledge valid reports through non-monetary recognition.

Encrypted Communication

For sensitive disclosures, reporters may request our PGP public key via email to enable encrypted communication.

Legal Boundaries

Nothing in this policy authorizes actions that violate applicable laws or regulations.

Participants must ensure that their activities remain lawful at all times.

Updates

This policy may be updated periodically to reflect changes in our platform or security practices.