Word?

Responsible Disclosure

Effective date: July 17, 2026

Our commitment

Security is the product at WordKey. If you believe you have found a vulnerability in the WordKey protocol, our applications, our SDK, or our infrastructure, we want to hear from you — and we commit to working with you in good faith.

How to report

Email security@wordkey.app with:

  • a description of the issue and its potential impact;
  • steps to reproduce (proof-of-concept code is welcome);
  • the affected component, URL, or endpoint; and
  • how you would like to be credited, if at all.

We will acknowledge your report within 72 hours, keep you informed as we investigate, and tell you when the issue is resolved.

Safe harbor

We will not pursue legal action against researchers who, in good faith:

  • test only against accounts and data they own or control;
  • avoid privacy violations, data destruction, and service degradation;
  • give us reasonable time to remediate before any public disclosure; and
  • do not exploit an issue beyond what is needed to prove it.

Out of scope

  • denial-of-service or volumetric attacks;
  • social engineering or phishing of WordKey staff or users;
  • physical attacks against WordKey facilities or devices;
  • findings from automated scanners without a demonstrated impact; and
  • issues in third-party services outside WordKey's control.

Recognition

We do not operate a paid bounty program yet. With your permission, we credit meaningful reports in our release notes, and reserve the right to reward exceptional findings at our discretion.

Contact

WordKey Inc. · security@wordkey.app