Responsible Disclosure

WAB is an open-core project. We treat security reports as a partnership. If you have found a vulnerability in the protocol, the SDK, the server, or our hosted infrastructure, please tell us privately first — we will respond, fix it, and credit you (with your permission) on our researchers page.

1. How to report

Emailsecurity@webagentbridge.com

PGP key/.well-known/pgp-key.txt

security.txt/.well-known/security.txt

Acknowledge SLA≤ 72 hours

Triage SLA≤ 7 days

Fix SLA (critical)≤ 14 days from triage

Please encrypt reports of critical issues with our PGP key. If PGP is impractical, send an unencrypted summary plus a request for a secure channel, and we will set one up within 24 hours.

2. Scope

In scope:

webagentbridge.com and any subdomain we operate.
The web-agent-bridge npm package and its SDK packages.
The WAB protocol itself — signature, discovery, ATP semantics, replay protection, auth middleware.
The browser SDK (wab.min.js) and the WordPress / Hydrogen / Elementor integrations we publish.

Out of scope:

Findings that require a compromised user device, browser extension, or stolen credentials with no further escalation.
Volumetric DoS without an amplification primitive.
Self-XSS, missing best-practice headers without a concrete exploit, or social engineering of staff.
Third-party services we depend on (Stripe, Cloudflare, registrars) — please report those upstream.

3. Safe harbor

Researchers acting in good faith under this policy are authorised to perform their work and will not be pursued under the CFAA, equivalents elsewhere, or our own terms of service, provided they:

Do not access, modify, or destroy data that is not theirs.
Do not run automated scanning at a rate that materially harms availability.
Do not extort, threaten, or publicly disclose before coordinated release.
Stop testing and contact us if they encounter sensitive data unexpectedly.

We will not pursue legal action against good-faith research that follows this policy.

4. Recognition & discretionary rewards

WAB does not currently run a formal Bug Bounty programme. What we offer instead:

Public credit on /researchers (opt-in; anonymous credit is welcome too).
A discretionary appreciation reward may be granted after we verify and fix the issue, based on its real-world severity and our project budget at the time. Typical range for medium findings on an open-source project at this stage is symbolic (e.g. USD 50–200); higher amounts are possible for clearly high-impact, first-reporter findings but are not promised.
Co-author credit in the CHANGELOG and the matching CVE / advisory.

By submitting a report you understand that any reward is offered at WAB's sole discretion and is not a contractual obligation. Duplicates, low-severity issues, already-patched issues, and reports that violate scope or safe-harbor rules are not eligible. The first reporter of a unique, valid issue is the one credited and (if applicable) rewarded.

One friendly ask, not a hard requirement: if you enjoy what we are building, a GitHub ⭐ on github.com/web-agent-bridge/web-agent-bridge means a lot for an early-stage open-source project — it helps more sites adopt the WAB protocol, which makes the whole web safer for agents. Your report is welcome either way.

5. Process

Report — email security@webagentbridge.com with reproduction steps, affected version, and impact.
Acknowledge — we reply within 72 hours.
Triage — within 7 days we confirm severity and assign a tracking ID.
Remediate — fix and deploy. Critical within 14 days, others within 90 days.
Credit — coordinated public advisory after the fix ships, naming the reporter (with permission) on /researchers.

6. Hall of fame — submit your name

Once your report has been verified and fixed, please submit your preferred credit below. Entries are reviewed manually before they appear on the public /researchers page — this keeps the list meaningful and spam-free. Choose Anonymous if you prefer not to be named publicly.

7. Document history

2026-06-04 — Reworded rewards section to "discretionary appreciation" (no formal bounty programme). Added hall-of-fame opt-in form. Added friendly GitHub-star ask.
2026-05-25 — Initial publication.

Related: /security · /threat-model · /key-rotation · /researchers