Vulnerability Disclosure Policy
November 21, 2023
Security and privacy are Whistic’s primary objectives. We employ a variety of tools and processes to continually analyze and improve our security practices. However, the constant evolution of threats makes it impossible for our team to stay ahead of all potential vulnerabilities.
Due to competing priorities and limited resources, we welcome arbitrary security research surrounding our Services. All internet-facing assets are in scope, with preference given to issues found under console.whistic.co.
We provide safe harbor for the Computer Fraud and Abuse Act (“CFAA”) and the Digital Millennium Copyright Act (“DMCA”), as well as any similar or successor legislative actions for all research that is conducted in good faith. We also permit and encourage responsible disclosure of any vulnerability findings, as long as any and all such disclosures do not violate the confidentiality of any in-scope or Whistic customer data.
Legal Terms
By participating in this policy, you agree to and are bound to the terms and conditions detailed in this page. These terms are governed by Delaware law, and constitute the entirety of the agreement between you and Whistic. Any changes to the terms in this policy must be made in writing and agreed upon by both parties.
Whistic will not publicly disclose the identity of any researcher that reports a vulnerability through this policy without their consent unless required to do so by law.
If litigation is initiated against you by a third party based on your disclosure(s) and your actions are fully in compliance with the terms and conditions of this policy, Whistic may, at its own and sole discretion, take reasonable steps to notify concerned parties that your actions were conducted in full compliance with our policy.
Unless Whistic is required by federal, state, or local law enforcement, Whistic does not intend to pursue legal action against research, researchers, or disclosures that are conducted in good faith, adhere to the strictest standards of confidentiality in terms of data ownership, and meet Whistic Terms of Service.
Conducting research and testing
Automated vulnerability scanning tools are strictly prohibited, and may result in being banned from further research participation and/or legal action where applicable.
You may only conduct research and tests on publicly available resources and endpoints, or with your rightfully assigned user account. You may not attempt to gain access to any other user’s account. You may not compromise or attempt to compromise any other user’s account or any confidential information that is owned by Whistic.
All research and tests must not disrupt, intercept, or compromise any data that you do not own, or violate any international, federal, state, or local laws or regulations,
In the event of an inadvertent violation or disruption of service (e.g. you access another user’s data, change any service configurations, etc.), immediately report the incident to security@whistic.com. Any and all data that was accessed during the course of research or testing must not be recorded, stored, used, disclosed, or further accessed in any way.
Disclosure Reporting Procedures
All submissions require explicit written permission from an authorized Whistic representative to disclose the results of a submission. Any public disclosures made without explicit written permission from Whistic will disqualify the reporter from all future participation under this policy, and will be prosecuted to the furthest extent of all applicable law.
If you have discovered a vulnerability, please collect and send as many of the following points as possible to security@whistic.com:
- Screenshots of the UI, console, or tool dashboards throughout the collection and analysis process
- Detailed steps to replicate the vulnerability
- Affected endpoint(s)
Encouraged Submission Types
- OWASP Top 10
- Business Logic vulnerabilities
- Information Disclosure
- Data Exposure
- Authorization/authentication issues
Excluded Submission Types
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Spam reports
- Phishing, vishing, spear phishing reports
- Social engineering reports
- Open ports with no accompanying demonstration or proof of concept of vulnerability
- Findings generated by automated tools without detailed explanation on what parts are vulnerable and how the vulnerability might be exploited
- Findings reported under the console.whistic.com domain (the approved domain is console.whistic.co)
Payment Tier
Due to resource constraints, we are not currently offering financial rewards for bug bounty submissions. Upon request, we can provide recognition letters as a demonstration of our gratitude to your contributions to our security efforts.
Disclaimers
This policy does not permit monetary rewards for submissions. Submission of a report does not immediately qualify the submitter(s) for rewards or recognition in any form.
Whistic reserves the right to change, remove, or modify the terms and conditions of this policy at any time, with or without notice. Before sending each submission, please review the terms of this policy to ensure full compliance. Submitting reports outside of stated reporting procedures or excluded submission types will result in a temporary ban; continued or severe instances of abuse or non-compliance will result in a permanent ban.
Whistic does not guarantee any response or remuneration for reported vulnerabilities. However, Whistic will make our best effort to acknowledge receipt of the reported vulnerability and other pertinent and disclosable information to the reporter as Whistic Security Team availability permits. Factors that influence the response timeline include the severity, likelihood, and impact of the vulnerability, as well as the current obligations and priorities of the Whistic Security team.