Vulnerability Disclosure Policy
At Whispir our data security and privacy policies and processes reflect industry best practice however, we acknowledge software isn’t always flawless. If you believe you’ve discovered a security vulnerability within one of our products, we strongly encourage you disclose it to us as quickly as possible and in a responsible manner.
To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a security vulnerability that complies with this Responsible Vulnerability Disclosure Policy. In the event of any non-compliance, we reserve all of our legal rights.
If in doubt, please contact the Whispir Information Security team by sending an email to email@example.com.
Responsible Vulnerability Disclosure Guidelines
We will investigate legitimate reports and make every effort to quickly mitigate or remediate any vulnerability where security researchers meet the following guidelines:
Avoid privacy violations, destruction of data, and interruption or degradation of our services;
Do not modify, access or exfiltrate data that does not belong to you;
Do not conduct social engineering (including phishing) of Whispir employees, contractors or customers or any other party;
Do not post, transmit, upload, or link malware, viruses or similar harmful software that could impact our services, products or customers or any other third party;
Do not test third party websites, applications or services that integrate with our services or products;
Give Whispir a reasonable time to correct the issue before making any information public;
Do not undertake any activity that violates any law.
The following finding types are excluded from our Responsible Vulnerability Disclosure Policy:
Reports from automated vulnerability scanners;
HTTP 404 codes or pages, or other HTTP non-200 codes or pages;
Fingerprinting or banner disclosure on common and public services;
Disclosure of known public files or directories, such as robots.txt;
Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc).
Issues submitted without working proof of concept
Missing HTTP security headers
Weak password policy implementation
Outdated or vulnerable libraries, frameworks in use
CSRF token missing on public pages, login pages or contact forms
Error messages such as web server stack traces, application errors
Lack of flags such as 'secure', 'httpOnly', 'Cache-Control', 'Pragma'
Insecure TLS/SSL configuration without working proof of concept
Issues related to rate limiting, brute forcing
DMARC, SPF, DKIM email security
Enabled HTTP methods such as OPTIONS, TRACE, DELETE, PUT, WEBDAV, etc
Public files exposed by forced browsing
Account lockout not enforced
HTTP or DNS cache poisoning
How to Responsibly Report a Vulnerability
You can responsibly disclose security vulnerabilities to the Whispir Information Security team by emailing firstname.lastname@example.org using our PGP key below to encrypt sensitive information:
When reporting a security vulnerability, please include as much information as possible, including:
Details of the security vulnerability including the products or services that may be affected;
The steps required to reproduce and validate the vulnerability and a Proof of Concept (POC);
The names of any test accounts you have created (where applicable); and
Your contact information.
If issues reported via our Responsible Vulnerability Disclosure Policy affect a third-party library, external project, or another vendor, Whispir reserves the right to forward details of the issue to that party without approval from the researcher. We will do our best to coordinate and communicate with you through this process.
What happens next?
Once you have reported a security vulnerability, we will contact you to acknowledge your submission and keep you informed of our plans to remediate or otherwise mitigate legitimate vulnerabilities.
We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, have remediated or mitigated the security vulnerability.
If a report is found to be a duplicate or is otherwise already known to us, the report will not be eligible for public recognition.
While we do not compensate researchers for identifying security vulnerabilities we recognize and thank the following contributors who have helped keep our products safe by reporting security vulnerabilities responsibly in accordance with our Responsible Vulnerability Disclosure Policy:
Shaun Budding @pudsec / Vulnerability class - sub domain takeover