As a global leader in media as well as SaaS for publishing, The Washington Post embraces responsible software development norms. To support a healthy internet ecology, we are sharing our Vulnerability Disclosure Policy. This policy describes the submission process for security researchers wanting to share their findings with our engineering teams.
To maintain confidentiality and exclusivity in the disclosure and remediation process
To strive to validate and remediate all serious findings in a timely manner
To respond clearly whenever remediation or validation efforts may be delayed
As we promise confidentiality, we ask that researchers do the same. Please do not disclose information about shared findings without written permission from our team.
Provide detailed and clear reproduction steps (proof of concept) when sharing findings, so we may validate them in a timely manner.
Save time by paying close attention to the out-of-scope section below.
Include an email address with the submission, so we can reach out for technical clarifications and follow-up.
Testing the physical security of our offices, employees, or equipment
Any non-web attacks such as social engineering or phishing
DoS/DDoS, or any other testing that may impact the operation of our systems
App or network scan reports, unvalidated test results, or “theoretical” findings
Access to, or modification of, any account that does not belong to the researcher
Testing which results in form or email spam, or unsolicited messages or alerts
Testing third party SaaS apps or services, except self-host, IaaS, or CDN assets
Defacing any assets, or doing anything that may result in brand damage
BOLAs/IDORs, OWASP API Top 10, multi-stage logic flaws, account enumerations and iteration flaws, XML injections, auth problems, cloud data leakages, critical software version flaws, provable RFIs/LFIs, upload exploits, WAF bypasses.
Below you will find a form where you can submit your findings. Please include accurate and detailed findings to facilitate faster validation. Thank you and happy hunting!