Responsible Vulnerability Disclosure Program

Join Our Mission

Last Revision: December 8th, 2025

Security is a top priority at Workera. We value the contributions of independent security researchers who help us detect and remediate potential weaknesses. If you believe you have discovered a security vulnerability in our services, we ask that you act responsibly and coordinate with us so that we can work together to resolve it promptly.

Disclosure Procedure

If you believe you have identified a potential vulnerability, please contact us at security@workera.ai. We will acknowledge your submission within one (1) week of receipt.

Please provide sufficient detail (e.g., steps to reproduce, impact assessment, affected service) and allow us a reasonable time to investigate and remediate before any public or third-party disclosure. Our goal is to address critical issues within ten (10) business days of acknowledgment, although actual remediation times may vary.

During your investigation, please make every effort to minimise privacy risks, avoid data destruction, and refrain from degrading or interrupting our services. Only test systems for which you have explicit authorization (e.g., your own account or a test environment).

Scope

This program covers the services offered by Workera and any associated domains, systems, or APIs for which we are responsible. Workera’s vulnerability categories align with the OWASP Top 10 for Application Security, the OWASP Top 10 Privacy Risks, and the OWASP Top 10 for Large Language Model (LLM) Applications. Vulnerabilities of interest include, but are not limited to:

  • Injection-based issues (e.g., SQL, OS, command injection)
  • Cross-site scripting (XSS) and other client-side vulnerabilities
  • Authorization flaws, insecure access controls, and broader security misconfigurations
  • Privacy weaknesses such as excessive data collection, insufficient consent mechanisms, weak pseudonymization, or improper data handling as outlined in the OWASP Privacy Top 10
  • AI/LLM-related risks such as prompt injection, insecure model plugins/tools, data leakage, or model misuse as identified in the OWASP AI/LLM Top 10

This list is not exhaustive.  Workera reserves the right to amend this list at any time without prior notice.

Out of Scope / Exclusions

The following activities are explicitly excluded from this program and should not be performed:

  • Distributed denial-of-service (DDoS) attacks
  • Any form of automated scanning or fuzzing not explicitly approved
  • Spamming or mass email campaigns directed at Workera systems
  • Social engineering, phishing, or similar attempts targeting Workera employees or contractors
  • Any testing based on access granted under a contract, click-wrap or shrink-wrap agreement

Additionally, the following types of issues are usually considered out-of-scope:

  • Open redirect vulnerabilities (via headers or parameters) or insufficient “speed-bump” protection when leaving the site
  • Text injection only (non-executable content)
  • Email spoofing (including SPF, DKIM, visually similar sender domains, etc.)
  • Clickjacking vulnerabilities exploitable only via framing
  • Missing Secure or HTTP-Only flags on non-critical cookies
  • Brute-force login or forgot-password pages where account lockout is not enforced or password strength is weak
  • Username/email enumeration via brute force or error messages
  • Absence of CAPTCHA or rate-limiting on login pages
  • Denial-of-service (other than within narrowly defined scope)
  • Misconfigured DNS issues
  • Known vulnerable versions of third-party libraries (unless there is a working proof-of-concept with high severity)

This list is not exhaustive. We reserve the right to modify it at any time without prior notice.

Disqualification

Participation in this program may be revoked — and we may decline to act on a submission — if any of the following occur:

  • Violation of confidentiality obligations (either under this program or applicable law)
  • Any attempt to extract or exfiltrate data from our services
  • Use of ransomware or the threat of such, in connection with testing
  • Attempt to commercially exploit a discovered vulnerability (e.g., selling access/data or public disclosure prior to remediation)
  • Efforts to hold Workera liable under any laws or regulations for testing activities that were unauthorised or out of scope

We may disqualify submissions that involve such behaviour, at our sole discretion.

Legal Action

Workera reserves the right to take legal action (civil or criminal) against individuals whose activities violate applicable laws, the terms of this program, or cause us to incur legal or regulatory liability. We also reserve the right to refuse or terminate the program for any individual at any time.

Reward Policy

This is not a bug-bounty program. Workera does not guarantee any payment for submitted vulnerabilities. Any reward offered will be determined solely by Workera, based on the severity, impact, and novelty of the submission, and will be subject to our sole discretion.

Changes to Program

We may revise these guidelines at any time.

Thank You

Thank you for your support in helping keep Workera and our users safe.