Security Policy

1. Reporting a vulnerability

Please report security vulnerabilities by emailing security@woochim.com. Include a clear description of the issue, steps to reproduce, and any supporting materials (screenshots, proof-of-concept code). Do not publicly disclose the issue before we have had a chance to address it.

2. Scope

The following are in scope for responsible disclosure:

• woochim.com and all subdomains (*.woochim.com)
• WooChim web application and APIs
• The WooChim in-store widget (woochim-widget.js)

3. Out of scope

The following are out of scope and should not be tested:

• Social engineering attacks against WooChim staff or users
• Distributed denial-of-service (DDoS) attacks
• Physical attacks against our infrastructure
• Spam or phishing campaigns
• Vulnerabilities in third-party services we depend on (please report those to the relevant vendor)

4. Response time

We aim to acknowledge your report within 72 hours for critical issues. We will keep you informed as we investigate and work toward a fix. Our general targets:

• Critical / High: acknowledgement within 72 hours, patch within 14 days
• Medium: acknowledgement within 5 business days, patch within 30 days
• Low / Informational: triaged on a best-effort basis

5. Bug bounty

We do not currently operate a formal bug bounty program. We cannot offer monetary rewards at this time, but we genuinely appreciate responsible disclosures and will acknowledge contributors (with their permission) once the issue is resolved.

6. Safe harbour

We will not pursue legal action against researchers who discover and report vulnerabilities responsibly, provided they do not access, modify, or exfiltrate user data; do not disrupt the service; and follow the guidelines in this policy.

7. Contact

Security reports: security@woochim.com
General enquiries: hello@woochim.com