Security Disclosure

How to Report Security Issues to IWA

Please submit your report by email to security@iwa.fi. In your report, please provide as much details as possible:

  • What you found;
  • Where exactly did you find it and steps to reproduce;
    • EXAMPLE: If the vulnerability relates to a specific URI and a specific parameter, please provide that information in detail.
  • Date and time (UTC) when you could reproduce the vulnerability (we may have deployed a new version since then);
  • Browser version number, on which platform the browser is running (if applicable);
  • Possible impact of the vulnerability or ways an attacker can leverage the vulnerability;
  • Proof-of-Concept or functional exploit if available;
  • Fix suggestion if available.

We would be thankful for any further relevant technical information that you may have, especially if reproduction is tricky.

We aim to send you a receipt within five working days. If you do not hear back from us by then, please resend the report.

Guidelines for Responsible Disclosure

Please do:

  • Share the security issue with us before making it public on message boards, mailing lists, and other forums.
  • Wait until notified that the vulnerability has been resolved before disclosing it to others. IWA takes the security of its clients very seriously, however some vulnerabilities take longer than others to resolve.

Please do not:

  • Cause potential or actual damage to IWA’s or IWA’s clients’ systems, services or users.
  • Use an exploit to view unauthorized data or corrupt data.

Please note that by submitting us a vulnerability report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license and right, to use, modify, and incorporate your submission or any parts thereof into our services, products, or test systems without any further obligations or notices to you.