Security Disclosure Policy

Email contact@winusbridge.com with the subject line “Security Disclosure”. Please include:

• The affected artifact and version (commit SHA / file hash where applicable).
• Reproduction steps and observed impact.
• Whether you want public credit, and if so, the name / handle to credit.

Wheel Up Labs is a small independent shop, not a 24/7 SOC. The following are best-effort, not contractual SLAs:

• Acknowledgement of receipt within 5 business days.
• Initial triage and severity assessment within 10 business days.
• For critical issues with a verified reproduction, a published fix or formal advisory within 30 days.
• For lower-severity issues, a published fix in the next regular release.

Please give us a reasonable opportunity to ship a fix before publishing. We commit to:

• Not pursue legal action against good-faith researchers acting within the scope of this policy.
• Credit reporters in the public advisory (if requested).
• Coordinate a mutually-agreed disclosure date.

Out of scope: testing against systems you do not own; social-engineering against Wheel Up Labs or its hosting vendors; volumetric or denial-of-service testing against production infrastructure; physical-security testing.

See /.well-known/security.txt (RFC 9116) for the machine-readable version.