Responsible Disclosure

1. Purpose

WISPGate welcomes responsible, good-faith disclosure of security vulnerabilities that affect systems under WISPGate’s control.

2. Scope

This policy applies only to WISPGate-controlled public websites, customer portal surfaces, APIs, and infrastructure expressly designated by WISPGate. It does not authorize testing against customer-owned systems, third-party services, telecom networks, payment gateways, or assets outside WISPGate control.

3. Rules of Engagement

• Act in good faith.
• Do not access, alter, download, expose, destroy, or retain customer data beyond the minimum necessary to demonstrate the issue.
• Do not exploit vulnerabilities for persistence, pivoting, privilege escalation, or service disruption.
• Do not use denial-of-service techniques, social engineering, extortion, or physical intrusion.

4. Reporting Requirements

Reports should include a clear description of the issue, affected endpoint or component, reproducible steps, expected versus actual result, impact estimate, and sufficient evidence for validation. Reports should be sent to security@wispgate.us.

5. What WISPGate May Do

WISPGate may acknowledge receipt, request clarification, prioritize remediation according to risk, coordinate quiet remediation, and determine its own disclosure timeline. WISPGate is not obligated to disclose internal details, accept all reports as valid, or publicize remediation.

6. No Bounty Commitment

WISPGate does not commit to pay rewards, bug bounties, reimbursement, or public credit unless separately and expressly agreed.

7. Safe Harbor

Provided the reporter acts strictly within this policy and in good faith, WISPGate will not pursue legal action solely for the reported activity. This safe harbor does not apply to data theft, extortion, service disruption, privacy violations, or actions outside the policy.