How to Report an Issue

Please send details of the issue to If you'd like to encrypt your message, please use our PGP public key. We will respond within one business day and assign a point of contact to follow up on the issue.

Please include a detailed summary of the issue and steps on how to reproduce it.

Researcher Promise

Wellthy is committed to working with security researchers to help identify and fix vulnerabilities in our systems and services. As long as you act in good faith and abide by the guidelines outlined in this policy, we will make our best effort to commit to the following:

  • Provide an initial response to your vulnerability report within one business day.
  • Determine if we will accept (intend to fix) or reject (identify your report as a false positive or acceptable risk) your vulnerability report within ten business days.
  • Keep you up to date on progress towards remediation of reports we accept from you.


As you research issues, please adhere to the below guidelines:

Do Not:

  • Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Wellthy services.
  • Do not attempt to access or modify another user’s account or data. Do not otherwise interfere with any other users' accounts.
  • Do not expose any data belonging to other users.
  • Do not attempt to target Wellthy employees or its customers, including social engineering attacks, phishing attacks or physical attacks.
  • Do not perform physical attacks against any Wellthy facility.
  • Do not interrupt or degrade our services. Do not attempt to perform brute-force attacks or denial-of-service attacks.
  • Do not threaten or try to extort Wellthy. Do not act in bad faith and make ransom requests. You should simply report the vulnerability to us.

What else?

  • Non-production versions of the site (i.e. demo or staging instances) are not within scope of this policy.
  • Please make sure to use the User-Agent string wellthyvrpresearcher_yourwellthyusername while testing.
  • Limited usage of automated scanners/tools is allowed with above User-Agent applied and scanners/tools must be configured to not send more than 5 requests per second to any particular service.

NOTE: If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.


This policy applies to the following systems and services:

If you find any issues with the following systems and services please report them to their respective vendor:

Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at before starting your research.


We respect the effort and skill that goes into finding and disclosing security issues. We credit researchers based on the value of the contribution. On a monthly basis, we will review submissions and update the below list. Credit will not be given for items which were first reported by another researcher. Wellthy retains the right to modify or discontinue this program at any time.

We would like to thank the following people: