Legal document \u00b7 Version 1.0
Responsible Disclosure
- Effective date
- 2026-01-01
- Last updated
- 2026-04-21
- Document ID
- WS-LEG-SEC-001
- Supersedes
- None
Notice. This policy is offered in good faith and is not legal advice. It does not waive any right or obligation Wavestar may have under law.
\u00a7 1. How to report
Email security@wavestar.space with a clear description of the suspected issue, steps to reproduce, the impact, and any suggested remediation. Encrypt your report to our PGP key, published at /.well-known/security.txt, when the issue involves pre-disclosure sensitive detail.
We acknowledge receipt within two business days, assign a tracking identifier, and provide an initial triage assessment within five business days.
\u00a7 2. Scope
In scope
- wavestar.space
- The public marketing site and documentation
- *.wavestar.space
- API, Terminal, Market, Attest subdomains
- did:orbit registry
- Published protocol surfaces and reference implementations
- Open-source SDKs
- Apache 2.0 code published under github.com/wavestar
Out of scope
- Social engineering
- Phishing or pretexting against staff or contractors
- Physical attacks
- Office access, lost-device scenarios, and similar
- Denial of service
- Volumetric DoS against production endpoints
Rate-limit bypass demonstrations are allowed with prior written coordination.
- Third-party systems
- Vendors whose products we use but do not control
Report to the vendor directly; we are happy to coordinate.
- Already-known classes
- Missing security headers without demonstrated impact, best-practice findings without exploit chain
\u00a7 3. Safe harbour
For security research conducted in accordance with this policy, Wavestar:
- will not pursue civil action or report you to law enforcement;
- will not invoke the Computer Fraud and Abuse Act or equivalent anti-hacking laws;
- will treat your research as authorised access within the meaning of our Terms of Service;
- will work with you to understand and resolve the issue promptly.
Safe harbour applies only to good-faith research within the rules below. Research that harms Users, extracts personal data beyond the minimum necessary, or is intended to obtain unlawful advantage is not protected.
\u00a7 4. Rules of engagement
- 01
Do not access User data
Demonstrate impact with minimum access. If you inadvertently accessed data beyond your own, stop, do not copy it, and report immediately. - 02
Do not disrupt service
Do not run automated scanners at high rates. Do not attempt denial-of-service. Coordinate with us before any test that could affect availability. - 03
Use test accounts
Create your own accounts and operate only against your own tenant. Do not impersonate other Users. - 04
Hold details confidential
Do not publicly disclose the issue before the disclosure window has elapsed and we have confirmed mitigation. Coordinate public write-ups with us.
\u00a7 5. Disclosure window
We operate a 90-day coordinated disclosure window from the date of initial triage. Within that period, we will investigate, remediate, and deploy a fix, and coordinate public disclosure with you. If the issue is particularly severe or complex, we may request an extension; we will not unilaterally extend.
\u00a7 6. Credit
With your permission we will acknowledge your report on a public security hall-of-fame and in the advisory we publish alongside the fix. You may remain anonymous or request acknowledgment under a handle.
\u00a7 7. Bug bounty (future)
A monetary bug bounty programme is targeted for Q2 2027, following the formal regulatory certifications of the Platform. Until then, we thank researchers publicly and where severity warrants may offer Wavestar apparel, professional membership reimbursement, or a formal reference.
\u00a7 8. Contact
Email: security@wavestar.space
PGP fingerprint: published at /.well-known/security.txt and pinned on the technology security page.
Report a vulnerability
Found something? Tell us.
We take every report seriously. Email security@wavestar.space with reproduction steps and we will triage within five business days.