At Whispir our data security and privacy policies and processes reflect industry best practice however, we acknowledge software isn\u2019t always flawless. If you believe you\u2019ve discovered a security vulnerability within one of our products, we strongly encourage you disclose it to us as quickly as possible and in a responsible manner.<\/p>\n
To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a security vulnerability that complies with this Responsible Vulnerability Disclosure Policy. In the event of any non-compliance, we reserve all of our legal rights.<\/p>\n
If in doubt, please contact the Whispir Information Security team by sending an email to\u00a0infosec@www.whispir.com<\/a>.<\/p>\n We will investigate legitimate reports and make every effort to quickly mitigate or remediate any vulnerability where security researchers meet the following guidelines:<\/p>\n Avoid privacy violations, destruction of data, and interruption or degradation of our services;<\/p>\n<\/li>\n Do not modify, access or exfiltrate data that does not belong to you;<\/p>\n<\/li>\n Do not conduct social engineering (including phishing) of Whispir employees, contractors or customers or any other party;<\/p>\n<\/li>\n Do not post, transmit, upload, or link malware, viruses or similar harmful software that could impact our services, products or customers or any other third party;<\/p>\n<\/li>\n Do not test third party websites, applications or services that integrate with our services or products;<\/p>\n<\/li>\n Give Whispir a reasonable time to correct the issue before making any information public;<\/p>\n<\/li>\n Do not undertake any activity that violates any law.<\/p>\n<\/li>\n<\/ul>\n The following finding types are excluded from our Responsible Vulnerability Disclosure Policy:<\/p>\n Reports from automated vulnerability scanners;<\/p>\n<\/li>\n HTTP 404 codes or pages, or other HTTP non-200 codes or pages;<\/p>\n<\/li>\n Fingerprinting or banner disclosure on common and public services;<\/p>\n<\/li>\n Disclosure of known public files or directories, such as robots.txt;<\/p>\n<\/li>\n Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc).<\/p>\n<\/li>\n Issues submitted without working proof of concept<\/p>\n<\/li>\n Missing HTTP security headers<\/p>\n<\/li>\n Weak password policy implementation<\/p>\n<\/li>\n Outdated or vulnerable libraries, frameworks in use<\/p>\n<\/li>\n CSRF token missing on public pages, login pages or contact forms<\/p>\n<\/li>\n Error messages such as web server stack traces, application errors<\/p>\n<\/li>\n Lack of flags such as ‘secure’, ‘httpOnly’, ‘Cache-Control’, ‘Pragma’<\/p>\n<\/li>\n Insecure TLS\/SSL configuration without working proof of concept<\/p>\n<\/li>\n Issues related to rate limiting, brute forcing<\/p>\n<\/li>\n DMARC, SPF, DKIM email security<\/p>\n<\/li>\n Enabled HTTP methods such as OPTIONS, TRACE, DELETE, PUT, WEBDAV, etc<\/p>\n<\/li>\n Public files exposed by forced browsing<\/p>\n<\/li>\n Account lockout not enforced<\/p>\n<\/li>\n HTTP or DNS cache poisoning<\/p>\n<\/li>\n Clickjacking<\/p>\n<\/li>\n<\/ul>\n You can responsibly disclose security vulnerabilities to the Whispir Information Security team by emailing\u00a0infosec@www.whispir.com<\/a>\u00a0using our PGP key below to encrypt sensitive information:<\/p>\nResponsible Vulnerability Disclosure Guidelines<\/h3>\n
\n
\n
How to Responsibly Report a Vulnerability<\/h3>\n