Vulnerability Disclosure Policy for charity: water

Security Researchers

We welcome vulnerability reports from all sources, including independent security researchers, partners, vendors, customers, and consultants. A security vulnerability is any unintended weakness or exposure that could compromise the confidentiality, integrity, or availability of our systems or data.

Our Commitment to Researchers

• Trust

  We maintain confidentiality and good faith when engaging with security researchers.

• Respect

  We value your contributions to keeping our systems and our community safe.

• Transparency

  We will work with you to validate and remediate reported vulnerabilities.

• Common Good

  We address issues in a manner that protects donors, staff, systems, and the broader public.

What We Ask of Researchers

• Trust

  Communicate potential vulnerabilities responsibly and give us time to validate and remediate.

• Respect

  Avoid privacy violations, service disruptions, or data destruction while testing.

• Transparency

  Provide sufficient technical detail to help us validate and address reported issues.

• Common Good

  Refrain from public disclosure until we have mitigated the vulnerability.

Scope

This policy applies to digital assets owned, operated, or maintained by charity: water and its subsidiaries and brands.

This includes:

• Charity Global, Inc.
• charity: water (US)
• charity: water (UK)
• The Experience Lab
• Thirst

This also includes any future brands or subsidiaries unless specifically excluded.

In-Scope Assets

You may test vulnerabilities in the following domains:

• donate.magicsu0001-dee.workers.dev
• www.thirstbook.com
• thewell.charitywater.org
• uk.charitywater.org
• donate.charitywater.org
• my.charitywater.org
• mycw.charitywater.org
• partner.charitywater.org
• partners.charitywater.org
• waterforward.charitywater.org

You may also report vulnerabilities in technical domains operated by charity: water, including:

• api.iot.charitywater.org
• api.sensors-data.charitywater.org
• iot.charitywater.org
• lima-production.charitywater.org
• picha.charitywater.org
• sensors-data.charitywater.org
• sensors.charitywater.org

Researchers are encouraged to submit any vulnerability they reasonably believe belongs to charity: water. This may involve any subdomain not explicitly listed as in- or out-of-scope. Take care when following links from charity: water websites, as they may lead to partners or third parties not in scope.

Out-of-Scope Assets

The following domains and subdomains are explicitly out of scope:

• *.charitywatercareers.org
• www-d.charitywater.org
• api-dev.sensors-data.charitywater.org
• api-stg.sensors-data.charitywater.org
• archive.charitywater.org
• archive-d.charitywater.org
• c4f99df29daeea232e176877b90fae46.dev-sensors.charitywater.org
• dev-sensors.charitywater.org
• blog.charitywater.org
• iot-dev.charitywater.org
• iot-stage.charitywater.org
• partner-d.charitywater.org
• picha-d.charitywater.org
• stage-aws.charitywater.org
• uk-d.charitywater.org
• wazi-d.charitywater.org
• my-stage.charitywater.org
• plannedgiving.charitywater.org
• email.charitywater.org
• links.charitywater.org
• stream.charitywater.org
• support.charitywater.org
• supportuk.charitywater.org
• handbook.charitywater.org
• helpme.charitywater.org
• brand.charitywater.org
• store.charitywater.org
• track.charitywater.org
• bounces.charitywater.org
• impact.charitywater.org
• wazi.charitywater.org
• wazi-aws.charitywater.org
• autodiscover.charitywater.org
• maps.charitywater.org
• go.charitywater.org
• cms.charitywater.org
• mail.charitywater.org

Rules of Engagement

This program currently allows:

• Unauthenticated testing
• Authenticated testing (You may create your own accounts. Do not attempt to access or modify accounts you do not own.)

To protect our systems and users, the following activities are strictly prohibited:

• Port scanning of any charity: water assets
• Automated scanning, fuzzing, or high-volume testing
• Automated/scripted testing against account creation, donation flows, newsletter forms, or contact forms
• Denial of Service or resource-exhaustion attacks
• Brute-force credential attacks or credential stuffing
• Use of stolen, leaked, or purchased credentials
• Attacks on end users or staff
• Social engineering, phishing, or vishing
• Physical security testing of any kind (including attempts to access offices, mail locations, employee home networks or devices, or in-person testing of any real-world asset)
• Testing that risks modifying or destroying production data

If a vulnerability exposes access to PII or sensitive data, stop immediately and report what you observed. Access only the minimum amount needed for proof-of-concept.

Vulnerability Types

In-Scope Focus Areas

We are particularly interested in vulnerabilities with meaningful security impact, including:

• Authentication issues
• Broken authentication
• Broken access control / IDOR
• Injection vulnerabilities (SQLi, command injection, template injection)
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Server-side request forgery (SSRF)
• Business logic flaws with impact
• Exposure of private keys, API keys, credentials, or sensitive data
• Secrets or sensitive data exposed in GitHub repositories

This list is not exhaustive. High-impact vulnerabilities outside these categories are welcome.

Out-of-Scope Types

Reports based solely on the following will not be considered in scope:

• Email & Domain Hygiene
  • DMARC / SPF / DKIM configuration issues
  • Email spoofing or sender reputation issues
• Non-Exploitable Issues
  • SSL/TLS configuration issues without demonstrated exploitability
  • Best-practice or informational findings (security headers, banner disclosures)
  • Known public files, directories, or metadata
  • Vulnerabilities requiring outdated or non-standard browsers
• Third-Party Systems
  • Issues in systems not owned or operated exclusively by charity: water
  • Issues in third-party integrations or SaaS tools
• DoS / Abuse / Traffic Volume
  • Denial of Service
  • Spamming or email flooding
  • Automated scanning or brute-force attacks
• Content, UX, or SEO Issues
  • Broken links
  • Text, imagery, layout, or UX bugs
  • Cookie notices or compliance display issues

Reporting Requirements

Please submit all findings through Bugcrowd with:

• Clear reproduction steps
• Proof-of-concept (PoC)
• Description of impact
• Relevant screenshots or logs
• The minimal amount of sensitive data required to demonstrate the issue (if any)

Reports without sufficient detail may be returned for clarification.

Non-Disclosure

charity: water VDP has a strict non-disclosure policy. No vulnerability may be shared publicly or privately until charity: water explicitly authorizes disclosure.