Report Security Concerns

Section 01

Our Commitment to Security

WeblyChat is committed to protecting the security and privacy of our users and their data. We welcome responsible security research and believe that working with skilled researchers is an important part of keeping our platform safe.

If you believe you have found a security vulnerability in WeblyChat, we encourage you to tell us about it so we can take steps to address it as quickly as possible.

Please do not disclose vulnerabilities publicly until we have had a reasonable opportunity to investigate and release a fix. We will work with you to understand and resolve the issue promptly.

Section 02

Scope

The following assets are in scope for security research:

In Scope

weblychat.eu and all subdomains
The WeblyChat account portal
The WeblyChat API
The Telegram bot interface
Authentication & OAuth flows

Out of Scope

Third-party services (Cloudflare, Telegram, Google)
Denial-of-service attacks
Social engineering of WeblyChat staff
Physical security
Automated scanning without prior notice

Section 03

How to Report

Send your report to security@weblychat.eu. This mailbox is monitored by our security team and is separate from general support.

If the vulnerability is particularly sensitive, you are welcome to encrypt your report using our PGP key — please request it at the same address and we will share it promptly.

Section 04

What to Include

A high-quality report helps us triage and fix issues faster. Please include:

A clear description of the vulnerability and its potential impact
The affected URL, endpoint, or component
Step-by-step reproduction instructions
Screenshots, screen recordings, or proof-of-concept code (if applicable)
Your assessment of severity (critical / high / medium / low)

Section 05

Response Timeline

We aim to meet the following targets after receiving a valid report:

Acknowledgement: within 2 business days
Initial assessment: within 5 business days
Fix for critical issues: within 14 days
Fix for lower-severity issues: within 90 days

We will keep you informed throughout the process and notify you when the fix has been deployed.

Section 06

Our Pledge to You

When you report a vulnerability in good faith and follow these guidelines, we commit to:

Not pursuing legal action against you related to the research
Working with you to understand and resolve the issue
Keeping your report confidential unless you agree to public disclosure
Crediting you in our security acknowledgements (if you wish)

Section 07

Rules of Engagement

To qualify for safe harbour, your research must:

Only affect your own test accounts — do not access other users' data
Avoid actions that degrade service availability (no DoS)
Not involve social engineering, phishing, or physical attacks
Not exfiltrate, modify, or destroy data beyond what is needed to demonstrate the issue
Be reported to us before any public disclosure

We reserve the right to determine whether a submission qualifies as good-faith research. If in doubt, ask us before proceeding.