Vulnerability Disclosure Policy for charity: water

Effective Date: December 2025

Vulnerability Disclosure Policy Introduction & Scope

Charity Global, Inc. (“charity: water”) believes effective disclosure of security vulnerabilities requires mutual trust, respect, transparency, and a commitment to the common good between charity: water and the security research community. By working together, we strengthen the security and privacy of our donors, supporters, partners, and the communities we serve.

Security Researchers

We welcome vulnerability reports from all sources, including independent security researchers, partners, vendors, customers, and consultants. A security vulnerability is any unintended weakness or exposure that could compromise the confidentiality, integrity, or availability of our systems or data.

Our Commitment to Researchers

  • Trust

    We maintain confidentiality and good faith when engaging with security researchers.

  • Respect

    We value your contributions to keeping our systems and our community safe.

  • Transparency

    We will work with you to validate and remediate reported vulnerabilities.

  • Common Good

    We address issues in a manner that protects donors, staff, systems, and the broader public.

What We Ask of Researchers

  • Trust

    Communicate potential vulnerabilities responsibly and give us time to validate and remediate.

  • Respect

    Avoid privacy violations, service disruptions, or data destruction while testing.

  • Transparency

    Provide sufficient technical detail to help us validate and address reported issues.

  • Common Good

    Refrain from public disclosure until we have mitigated the vulnerability.

Scope

This policy applies to digital assets owned, operated, or maintained by charity: water and its subsidiaries and brands.

This includes:

  • Charity Global, Inc.
  • charity: water (US)
  • charity: water (UK)
  • The Experience Lab
  • Thirst

This also includes any future brands or subsidiaries unless specifically excluded.

In-Scope Assets

You may test vulnerabilities in the following domains:

  • www.charitywater.org
  • www.thirstbook.com
  • thewell.charitywater.org
  • uk.charitywater.org
  • donate.charitywater.org
  • my.charitywater.org
  • mycw.charitywater.org
  • partner.charitywater.org
  • partners.charitywater.org
  • waterforward.charitywater.org

You may also report vulnerabilities in technical domains operated by charity: water, including:

  • api.iot.charitywater.org
  • api.sensors-data.charitywater.org
  • iot.charitywater.org
  • lima-production.charitywater.org
  • picha.charitywater.org
  • sensors-data.charitywater.org
  • sensors.charitywater.org

Researchers are encouraged to submit any vulnerability they reasonably believe belongs to charity: water. This may involve any subdomain not explicitly listed as in- or out-of-scope. Take care when following links from charity: water websites, as they may lead to partners or third parties not in scope.

Out-of-Scope Assets

The following domains and subdomains are explicitly out of scope:

  • *.charitywatercareers.org
  • www-d.charitywater.org
  • api-dev.sensors-data.charitywater.org
  • api-stg.sensors-data.charitywater.org
  • archive.charitywater.org
  • archive-d.charitywater.org
  • c4f99df29daeea232e176877b90fae46.dev-sensors.charitywater.org
  • dev-sensors.charitywater.org
  • blog.charitywater.org
  • iot-dev.charitywater.org
  • iot-stage.charitywater.org
  • partner-d.charitywater.org
  • picha-d.charitywater.org
  • stage-aws.charitywater.org
  • uk-d.charitywater.org
  • wazi-d.charitywater.org
  • my-stage.charitywater.org
  • plannedgiving.charitywater.org
  • email.charitywater.org
  • links.charitywater.org
  • stream.charitywater.org
  • support.charitywater.org
  • supportuk.charitywater.org
  • handbook.charitywater.org
  • helpme.charitywater.org
  • brand.charitywater.org
  • store.charitywater.org
  • track.charitywater.org
  • bounces.charitywater.org
  • impact.charitywater.org
  • wazi.charitywater.org
  • wazi-aws.charitywater.org
  • autodiscover.charitywater.org
  • maps.charitywater.org
  • go.charitywater.org
  • cms.charitywater.org
  • mail.charitywater.org

Rules of Engagement

This program currently allows:

  • Unauthenticated testing
  • Authenticated testing (You may create your own accounts. Do not attempt to access or modify accounts you do not own.)

To protect our systems and users, the following activities are strictly prohibited:

  • Port scanning of any charity: water assets
  • Automated scanning, fuzzing, or high-volume testing
  • Automated/scripted testing against account creation, donation flows, newsletter forms, or contact forms
  • Denial of Service or resource-exhaustion attacks
  • Brute-force credential attacks or credential stuffing
  • Use of stolen, leaked, or purchased credentials
  • Attacks on end users or staff
  • Social engineering, phishing, or vishing
  • Physical security testing of any kind (including attempts to access offices, mail locations, employee home networks or devices, or in-person testing of any real-world asset)
  • Testing that risks modifying or destroying production data

If a vulnerability exposes access to PII or sensitive data, stop immediately and report what you observed. Access only the minimum amount needed for proof-of-concept.

Vulnerability Types

In-Scope Focus Areas

We are particularly interested in vulnerabilities with meaningful security impact, including:

  • Authentication issues
  • Broken authentication
  • Broken access control / IDOR
  • Injection vulnerabilities (SQLi, command injection, template injection)
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Server-side request forgery (SSRF)
  • Business logic flaws with impact
  • Exposure of private keys, API keys, credentials, or sensitive data
  • Secrets or sensitive data exposed in GitHub repositories

This list is not exhaustive. High-impact vulnerabilities outside these categories are welcome.

Out-of-Scope Types

Reports based solely on the following will not be considered in scope:

  • Email & Domain Hygiene
    • DMARC / SPF / DKIM configuration issues
    • Email spoofing or sender reputation issues
  • Non-Exploitable Issues
    • SSL/TLS configuration issues without demonstrated exploitability
    • Best-practice or informational findings (security headers, banner disclosures)
    • Known public files, directories, or metadata
    • Vulnerabilities requiring outdated or non-standard browsers
  • Third-Party Systems
    • Issues in systems not owned or operated exclusively by charity: water
    • Issues in third-party integrations or SaaS tools
  • DoS / Abuse / Traffic Volume
    • Denial of Service
    • Spamming or email flooding
    • Automated scanning or brute-force attacks
  • Content, UX, or SEO Issues
    • Broken links
    • Text, imagery, layout, or UX bugs
    • Cookie notices or compliance display issues

Reporting Requirements

Please submit all findings through Bugcrowd with:

  • Clear reproduction steps
  • Proof-of-concept (PoC)
  • Description of impact
  • Relevant screenshots or logs
  • The minimal amount of sensitive data required to demonstrate the issue (if any)

Reports without sufficient detail may be returned for clarification.

Non-Disclosure

charity: water VDP has a strict non-disclosure policy. No vulnerability may be shared publicly or privately until charity: water explicitly authorizes disclosure.

Safe Harbor

When conducting vulnerability research according to this policy:

  • Your testing is authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws.
  • We will not pursue legal action for accidental, good-faith violations of this policy.
  • Your research is exempt from DMCA anti-circumvention claims.
  • Restrictions in our Terms & Conditions that would interfere with this testing are waived solely for work performed under this policy.
  • You must comply with all applicable laws and avoid harming users or systems.
  • If you have questions about whether something is in scope or safe to test, ask through Bugcrowd before proceeding.