At Whispir our data security and privacy policies and processes reflect industry best practice however, we acknowledge software isn’t always flawless. If you believe you’ve discovered a security vulnerability within one of our products, we strongly encourage you disclose it to us as quickly as possible and in a responsible manner.
To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a security vulnerability that complies with this Responsible Vulnerability Disclosure Policy. In the event of any non-compliance, we reserve all of our legal rights.
If in doubt, please contact the Whispir Information Security team by sending an email to firstname.lastname@example.org.
We will investigate legitimate reports and make every effort to quickly mitigate or remediate any vulnerability where security researchers meet the following guidelines:
The following finding types are excluded from our Responsible Vulnerability Disclosure Policy:
You can responsibly disclose security vulnerabilities to the Whispir Information Security team by emailing email@example.com using our PGP key below to encrypt sensitive information:
When reporting a security vulnerability, please include as much information as possible, including:
If issues reported via our Responsible Vulnerability Disclosure Policy affect a third-party library, external project, or another vendor, Whispir reserves the right to forward details of the issue to that party without approval from the researcher. We will do our best to coordinate and communicate with you through this process.
Once you have reported a security vulnerability, we will contact you to acknowledge your submission and keep you informed of our plans to remediate or otherwise mitigate legitimate vulnerabilities.
We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, have remediated or mitigated the security vulnerability.
If a report is found to be a duplicate or is otherwise already known to us, the report will not be eligible for public recognition.
While we do not compensate researchers for identifying security vulnerabilities we will recognise and thank you in the form of a ‘Hall of Fame’ for those who help keep our products safe by reporting security vulnerabilities responsibly in accordance with our Responsible Vulnerability Disclosure Policy.