Information Security & Vulnerability Disclosure
Information Security & Vulnerability Disclosure
Last updated: 2026-07-16
This security policy applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”), acting as the business. By accessing or using our services you agree to this security policy. If you do not agree, please discontinue use of the services.
1. Scope
This policy covers the WAAPI web panels, public websites, mobile applications and public APIs operated by us. It does not cover the third-party platforms we integrate with — report issues in those to the provider concerned.
2. Reporting a vulnerability
Report security issues privately to support@thewaapi.com with the subject line “Security — vulnerability report”. Include a description, the steps to reproduce, the impact you believe it has, and any proof-of-concept. We acknowledge reports within 72 hours and aim to give a remediation timeline within 10 business days.
3. Safe harbour
We will not pursue legal action against researchers who act in good faith under this policy: test only against your own account, do not access, modify or exfiltrate other customers’ data, do not degrade the service (no denial-of-service, no automated high-volume scanning), do not use social engineering or physical attacks, and give us reasonable time to fix an issue before disclosing it publicly.
4. Out of scope
Reports without demonstrable impact — missing best-practice headers, self-XSS, rate-limit findings on unauthenticated endpoints, outdated library versions with no exploitable path, or automated-scanner output with no proof of exploitation — are acknowledged but generally not actioned.
5. Our internal controls
We operate least-privilege access to production, mandatory review on changes to authentication and tenant-isolation code, dependency monitoring, encrypted secret storage, and audit logging. Details are in the Data Security Policy.
Governing law & jurisdiction
This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions we honour applicable local requirements, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to the extent they apply. Courts at India have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.
Contact us
WAAPI is operated by WAAPI. For any question about this document, contact us:
- Email: support@thewaapi.com
- Registered address: India