Vulnerability Disclosure Policy

At Whispir our data security and privacy policies and processes reflect industry best practice however, we acknowledge software isn’t always flawless. If you believe you’ve discovered a security vulnerability within one of our products, we strongly encourage you disclose it to us as quickly as possible and in a responsible manner.

To encourage responsible disclosure, we will not take legal action against security researchers in relation to the discovery and reporting of a security vulnerability that complies with this Responsible Vulnerability Disclosure Policy. In the event of any non-compliance, we reserve all of our legal rights.

If in doubt, please contact the Whispir Information Security team by sending an email to infosec@whispir.com.

Responsible Vulnerability Disclosure Guidelines

We will investigate legitimate reports and make every effort to quickly mitigate or remediate any vulnerability where security researchers meet the following guidelines:

  • Avoid privacy violations, destruction of data, and interruption or degradation of our services;
  • Do not modify, access or exfiltrate data that does not belong to you;
  • Do not conduct social engineering (including phishing) of Whispir employees, contractors or customers or any other party;
  • Do not post, transmit, upload, or link malware, viruses or similar harmful software that could impact our services, products or customers or any other third party;
  • Do not test third party websites, applications or services that integrate with our services or products;
  • Give Whispir a reasonable time to correct the issue before making any information public;
  • Do not undertake any activity that violates any law.

The following finding types are excluded from our Responsible Vulnerability Disclosure Policy:

  • Reports from automated vulnerability scanners;
  • HTTP 404 codes or pages, or other HTTP non-200 codes or pages;
  • Fingerprinting or banner disclosure on common and public services;
  • Disclosure of known public files or directories, such as robots.txt;
  • Self-exploitation issues (such as self XSS, cookie reuse, self denial of service, etc).
  • Issues submitted without working proof of concept
  • Missing HTTP security headers
  • Weak password policy implementation
  • Outdated or vulnerable libraries, frameworks in use
  • CSRF token missing on public pages, login pages or contact forms
  • Error messages such as web server stack traces, application errors
  • Lack of flags such as 'secure', 'httpOnly', 'Cache-Control', 'Pragma'
  • Insecure TLS/SSL configuration without working proof of concept
  • Issues related to rate limiting, brute forcing
  • DMARC, SPF, DKIM email security
  • Enabled HTTP methods such as OPTIONS, TRACE, DELETE, PUT, WEBDAV, etc
  • Public files exposed by forced browsing
  • Account lockout not enforced
  • HTTP or DNS cache poisoning

How to Responsibly Report a Vulnerability

You can responsibly disclose security vulnerabilities to the Whispir Information Security team by emailing infosec@whispir.com using our PGP key below to encrypt sensitive information:

Download PGP Key

When reporting a security vulnerability, please include as much information as possible, including:

  • Details of the security vulnerability including the products or services that may be affected;
  • The steps required to reproduce and validate the vulnerability and a Proof of Concept (POC);
  • The names of any test accounts you have created (where applicable); and
  • Your contact information.

Third-party vulnerabilities

If issues reported via our Responsible Vulnerability Disclosure Policy affect a third-party library, external project, or another vendor, Whispir reserves the right to forward details of the issue to that party without approval from the researcher. We will do our best to coordinate and communicate with you through this process.

What happens next?

Once you have reported a security vulnerability, we will contact you to acknowledge your submission and keep you informed of our plans to remediate or otherwise mitigate legitimate vulnerabilities.

We ask that you maintain confidentiality and do not make your research public until we have completed our investigation and, if necessary, have remediated or mitigated the security vulnerability.

If a report is found to be a duplicate or is otherwise already known to us, the report will not be eligible for public recognition.

Recognition

While we do not compensate researchers for identifying security vulnerabilities we will recognise and thank you in the form of a ‘Hall of Fame’ for those who help keep our products safe by reporting security vulnerabilities responsibly in accordance with our Responsible Vulnerability Disclosure Policy.