Get 50% off when you sign up for Workpay before December 31st 2021.
Get Started
00
Days
00
Hrs
00
Min
00
Sec

Responsible Disclosure Policy

Workpay is committed to maintaining the security and privacy of our systems, applications, and user data. We welcome and appreciate the security research community's efforts in helping us identify potential vulnerabilities in our products and services.

Bug Bounty Hall of Fame

Date Reporter Severity Classification Status
2026-02-02 Muhammad Hammad (LinkedIn) Medium Missing security header, leading to iframe injection ✓ Fixed

Overview & Purpose

This Responsible Disclosure Policy outlines the process for reporting security vulnerabilities and our commitment to working with security researchers in a responsible manner.

The Workpay Vulnerability Disclosure Policy (VDP) establishes a clear, secure, and standardized way for external security researchers, customers, partners, and other stakeholders to report security vulnerabilities in our products and services.

This program is designed to support coordinated vulnerability disclosure practices and to help us continuously improve the security, privacy, and resilience of Workpay’s cloud platform, integrations, and mobile applications. By following this policy, you help us protect the employers and employees who rely on Workpay to manage payroll, HR, and financial services every day.

Good faith reporting

Please note, Workpay does not currently operate a “bug bounty” program, and we do not offer monetary compensation, reward for submissions of potential vulnerabilities. However, we have a public Hall-Of-Fame platform to honor the efforts of researchers who submit valid security reports.

Scope

This policy applies to security vulnerabilities discovered in:

  • Workpay web applications
  • Workpay mobile applications (iOS & Android)
  • Workpay-hosted payroll, HR, and financial services backends

In-scope Vulnerabilities include:

  • Remote Code Execution (RCE)
  • Authentication or authorization bypass
  • Privilege escalation across tenants or roles
  • Cross-Site Scripting (XSS) with meaningful impact
  • SQL, NoSQL, or command injection
  • Server-Side Request Forgery (SSRF) with data exposure
  • Insecure direct object references (IDOR)
  • Exposed secrets, credentials, or sensitive configuration
  • Insecure deserialization or memory corruption
  • Significant misconfigurations leading to data exposure
  • Sensitive Information Disclosures

Out of Scope

The following are explicitly not covered by this policy:

  • DoS/DDoS attacks or stress testing our infrastructure
  • Missing security headers without demonstrated impact
  • Clickjacking and open redirects
  • Brute-force attacks against authentication endpoints
  • Vulnerabilities that require rooted devices or non-standard environments
  • Reports that only describe theoretical risks without a viable proof-of-concept
  • Third-party applications, websites, or services not owned or controlled by Workpay
  • Social engineering attacks against Workpay employees or customers
  • Physical attacks against Workpay facilities, equipment, or personnel
  • Vulnerabilities requiring physical access to user devices
  • Issues related to software or systems not maintained by Workpay
  • Spam, phishing, or other non-technical attacks
  • Publicly available files with no sensitive information
  • Missing best practices in SSL/TLS configuration

Reporting Guidelines

How to Report

Security vulnerabilities should be reported through our dedicated security email: security@myworkpay.com

Information to Include

To help us understand and address the vulnerability effectively, please include:

  • Detailed Description: A clear description of the vulnerability and its potential impact
  • Steps to Reproduce: Detailed, step-by-step instructions to reproduce the issue
  • Proof of Concept: Screenshots, videos, or code snippets demonstrating the vulnerability
  • Affected Systems: Specific URLs, applications, or systems affected
  • Impact: The impact of the vulnerability
  • Severity Assessment: Your assessment of the vulnerability's severity and potential impact. Use CVSS v3.1 scoring here
  • Recommended Fix: Suggestions for remediation (if available)
  • Your Contact Information: Name and preferred contact method for follow-up communication

Our Commitment to Researchers

Response Timeline

We are committed to acknowledging and responding to security vulnerability reports in a timely manner:

  • Initial Acknowledgment: Within 2 business days of receipt
  • Status Update: Within 5 business days with preliminary assessment
  • Regular Updates: Every 10 business days until resolution
  • Resolution Timeline: Varies based on complexity and severity (typically 30-60 days)
  • Hall of fame: Upon Report closure, we will add the researcher to our Hall of Fame.

Investigation Process

Upon receiving a vulnerability report, we will:

  • Acknowledge receipt and assign a unique tracking identifier
  • Conduct initial triage and severity assessment
  • Reproduce and verify the reported vulnerability
  • Develop and test appropriate remediation measures
  • Deploy fixes in a coordinated manner
  • Provide final resolution status to the reporter.

Workpay will agree on a disclosure date with the researcher after a fix is validated.

Researcher Guidelines

Responsible Behavior

Security researchers engaging with this policy are expected to:

  • Act in good faith and avoid privacy violations, data destruction, or service disruption
  • Only access data necessary to demonstrate the vulnerability
  • Avoid downloading, copying, or retaining sensitive data
  • Respect user privacy and refrain from accessing personal information
  • Not perform testing on production systems when possible
  • Limit testing to the minimum necessary to demonstrate the vulnerability
  • Avoid automated scanning tools that may impact system performance

Prohibited Activities

The following activities are strictly prohibited:

  • Accessing, modifying, or deleting data belonging to other users.
  • Performing denial of service attacks or degrading system performance.
  • Conducting social engineering attacks against employees or users.
  • Violating any laws or regulations.
  • Accessing systems or data beyond what is necessary to demonstrate the vulnerability.
  • Publicly disclosing vulnerabilities before coordinated disclosure timeline.

Safe Harbor

Workpay will not pursue legal action against researchers who:

  • Follow this responsible disclosure policy
  • Act in good faith
  • Avoid violating user privacy or disrupting our services
  • Do not access data beyond what is necessary to demonstrate the vulnerability
  • Report vulnerabilities promptly and exclusively through official channels

This safe harbor provision does not authorize testing that violates applicable laws or regulations.

Limitation of Scope

This policy does not grant permission for:

  • Testing of systems not owned or controlled by Workpay
  • Activities that would be illegal under applicable law
  • Social engineering or phishing attacks
  • Physical intrusion or unauthorized access to facilities