[{"id":3758878,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com (web only, not used for email)\n\n# Out of Scope Vulnerabilities\n\nReport leaked user api keys, user passwords, and other sensitive user data using this form:\nhttps://wakatime.com/security/leaks\nDo NOT report leaked user api keys, user passwords, user app secrets, or other user secrets here. They will be marked NA!\n\nVulnerabilities below will be marked NA or Informative.\n\n* Session Fixation/Replay (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (See http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n* status.wakatime.com is NOT in scope. Submit vuln reports to support@uptimerobot.com for our status page subdomain.\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-11T00:58:18.172Z"},{"id":3754682,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com (web only, not used for email)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Session Fixation/Replay (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (See http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n* status.wakatime.com is NOT in scope. Submit vuln reports to support@uptimerobot.com for our status page subdomain.\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-01T06:21:26.399Z"},{"id":3713725,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com (web only, not used for email)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (See http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n* status.wakatime.com is NOT in scope. Submit vuln reports to support@uptimerobot.com for our status page subdomain.\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-06T17:49:20.755Z"},{"id":3686688,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com (web only, not used for email)\n\n## We recently added a new feature: Profile Image Uploading\n\nPlease test image uploads first, since most other features have already been tested thoroughly:\nhttps://wakatime.com/settings/profile/photo\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (See http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n* status.wakatime.com is NOT in scope. Submit vuln reports to support@uptimerobot.com for our status page subdomain.\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-04-29T07:05:20.720Z"},{"id":3661434,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com (web only, not used for email)\n\n## We recently added a new feature: Profile Image Uploading\n\nPlease test image uploads first, since most other features have already been tested thoroughly:\nhttps://wakatime.com/settings/profile/photo\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (See http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-09T17:05:47.401Z"},{"id":3641340,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com (web only, not used for email)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (See http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-08-16T15:52:12.392Z"},{"id":3586337,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (See http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-08-21T07:11:54.102Z"},{"id":3559468,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (See http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-23T01:46:55.628Z"},{"id":3559467,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (See http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously http://bit.ly/2uFjwXt)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-23T01:46:46.644Z"},{"id":3559466,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (Our only rule is passwords must be longer than 6 characters http://bit.ly/2uFjwXt)\n* Password Reuse (We allow any password, even passwords used previously http://bit.ly/2uFjwXt)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-23T01:46:11.200Z"},{"id":3559465,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (Our only rule is passwords must be longer than 6 characters)\n* Password Reuse (We allow any password, even passwords used previously)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-23T01:45:09.297Z"},{"id":3557941,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Insufficient Session Expiration\n* Weak Password Policy (we show a password strength meter at signup, but our only rule is passwords must be longer than 6 characters)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-20T03:45:10.971Z"},{"id":3557151,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Weak Password Policy (we show a password strength meter at signup, but our only rule is passwords must be longer than 6 characters)\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the page/url/params changes.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-08T17:13:04.831Z"},{"id":3557026,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Weak Password Policy (we show a password strength meter at signup, but our only rule is passwords must be longer than 6 characters)\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\nPlease consolidate the same vulnerability reports when only the url or parameter changes. Creating duplicate reports for the same vulnerability when only the url changes may lead to all duplicates being marked as Not Applicable for not following the policy.\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-06T15:44:16.343Z"},{"id":3556971,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Weak Password Policy (we show a password strength meter at signup, but our only rule is passwords must be longer than 6 characters)\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-06T04:06:05.468Z"},{"id":3556970,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Weak Password Policy (our only rule is passwords must be longer than 6 characters)\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-06T04:04:50.591Z"},{"id":3556863,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-04T13:36:47.342Z"},{"id":3556848,"new_policy":"DISABLED\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-04T09:54:57.765Z"},{"id":3556820,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Username Enumeration\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-03T19:05:07.713Z"},{"id":3556814,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Beast Attack (Fixed in browsers not sever)\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-03T18:02:01.884Z"},{"id":3556811,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\nVulnerabilities below will be marked NA or Informative.\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* CSRF Cookie Without 'HttpOnly' Flag\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-03T17:24:47.219Z"},{"id":3556736,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\n* Logout CSRF\n* Session Fixation (We use session cookies and we like them http://bit.ly/2tw19Gd)\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-07-01T18:19:07.240Z"},{"id":3556668,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\n* Logout CSRF\n* Software version disclosure\n* Denial of service\n* Spamming\n* Phishing\n* Social engineering\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-30T17:01:05.038Z"},{"id":3556665,"new_policy":"# In Scope\n\n* wakatime.com\n* api.wakatime.com\n\n# Out of Scope Properties\n\n* Olark \"Need Help\" floating chat (please do NOT post Olark chat messages)\n* Disqus blog comments (please do NOT post blog comments)\n\n# Out of Scope Vulnerabilities\n\n* Logout CSRF\n* Software version disclosure\n* Denial of service\n* Spamming\n* Social engineering\n\n[View changes to this policy](https://hackerone.com/wakatime/policy_versions)\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-30T16:27:06.384Z"},{"id":3556664,"new_policy":"No technology is perfect, and WakaTime believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Testing 3rd-Party Chat provider Olark (please do NOT post Olark chat messages)\n* Testing 3rd-Party Blog Comments provider Disqus (please do NOT post blog comments)\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of WakaTime staff or contractors\n* Any physical attempts against WakaTime property or data centers\n\nThank you for helping keep WakaTime and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-30T16:07:10.921Z"},{"id":3556608,"new_policy":"No technology is perfect, and WakaTime believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of WakaTime staff or contractors\n* Any physical attempts against WakaTime property or data centers\n\nThank you for helping keep WakaTime and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-29T15:34:11.590Z"}]