Responsible Vulnerability Disclosure
We care deeply about keeping our customers’ data safe and secure. Your input and feedback on our security is always appreciated.
Reporting an Issue
- A summary of the problem
- A PoC or breakdown of how to replicate the issue
- The operating system name and version as well as the web browsers name and version that you used to replicate the issue
Here’s how the process will go from there on:
- We will acknowledge your report.
- We will investigate the issue and may have clarifying questions.
- Once the issue is resolved, we will post an update along with our thanks and acknowledgement of your contribution. Note that at the moment we do not offer bug bounties other than good karma.
Things We’re Interested In
We are interested in any vulnerabilities related to the whimsical.com web site and application (excluding help.whimsical.com) such as:
- Authentication issues
- Circumvention of our Platform/Privacy permissions model
- Cross-site scripting (XSS) with meaningful exploit potential
- Cross-site request forgery (CSRF/XSRF). This excludes logout CSRF.
- Server-side code execution
We’d like to ask you to search for and report vulnerabilities responsibly, with the following principles in mind:
- Don’t try to access or manipulate other customers data; only test on your own account
- Do not exfiltrate data from our infrastructure (including source code, data backups, configuration files).
- If you obtain remote access to our system, report your finding immediately. Do not attempt to pivot to other servers or elevate access.
- Please avoid techniques that might degrade the service for others (DoS, spamming, etc.)
- Please keep the vulnerabilities secret until you’ve notified us, and we’ve had adequate time to remedy the issues