Vulnerability Disclosure Policy

Last Updated: 2024-12-19

1. Policy Purpose

At Whispie, we are committed to maintaining the highest level of security for our users. This policy provides guidance for security researchers to responsibly disclose vulnerabilities found in Whispie systems and third-party integrations (Stripe, Supabase, Facebook, Google Analytics, Twilio, etc.).

We believe that working with security researchers across the globe is crucial to keeping our users safe. We encourage you to contact us to report any potential vulnerabilities you discover.

2. Scope

✅ In-Scope Systems

  • whispieapp.com and all subdomains
  • Whispie mobile applications (iOS & Android)
  • All API endpoints and services
  • Third-party integrations and services:
    • Stripe payment systems
    • Supabase database and authentication
    • Twilio SMS verification
    • Facebook/Meta advertising integrations
    • Google Analytics implementation
    • Cloudflare security services

❌ Out-of-Scope

  • Physical security assessments
  • Social engineering attacks
  • DDoS attacks or volumetric testing
  • Attacks against Whispie employees or infrastructure
  • Third-party services not directly integrated with Whispie
  • Theoretical vulnerabilities without proof-of-concept
  • Missing security headers without demonstrated impact

3. Responsible Disclosure Rules

✅ What to Do

  • Notify us immediately after discovering a potential vulnerability
  • Use the minimum amount of sensitive data necessary to demonstrate the vulnerability
  • Provide detailed documentation of your findings
  • Keep communication about the vulnerability confidential
  • Allow reasonable time for us to address the vulnerability
  • Test against your own accounts or test data whenever possible

❌ What Not to Do

  • Delete, modify, or steal data
  • Perform tests that could cause service interruption
  • Violate the privacy of other users
  • Use social engineering against employees or users
  • Perform physical attacks against our infrastructure
  • Disclose vulnerabilities publicly before we've had time to address them
  • Demand payment or compensation for vulnerability reports

4. Special Rules for Third-Party Integrations

🔵 Facebook (Meta) Integration

  • Avoid abusing Facebook APIs or exceeding rate limits
  • Do not attempt to access user data without authorization
  • Follow Facebook's own security policies and bug bounty program
  • Report Facebook-specific vulnerabilities to their security team when applicable

🟢 Google Analytics Integration

  • Be cautious when testing analytics data collection mechanisms
  • Avoid using real user data in testing
  • Comply with Google's Terms of Service
  • Focus on Whispie's implementation, not Google's infrastructure

🟣 Stripe Integration

  • Do not test with live payment transactions
  • Use test cards and sandbox environments only
  • Follow Stripe's security policies and disclosure guidelines
  • Report Stripe-specific vulnerabilities to their security team

🟠 Supabase Integration

  • Test database security without accessing real user data
  • Use test accounts and databases when possible
  • Follow Supabase's security guidelines
  • Focus on Whispie's implementation of Supabase services

5. Disclosure Process

1
Initial Report
Email your findings to [email protected] with detailed information including:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fixes (if any)
2
Verification
Our security team will acknowledge receipt within 24-48 hours and verify the vulnerability within 3 business days.
3
Remediation
We will develop a fix for the vulnerability based on its severity and complexity.
4
Notification
We will keep you updated on our progress and notify you when the vulnerability is resolved.
5
Public Disclosure
After the fix is deployed, we may publicly acknowledge your contribution (with your permission).

6. Response Timelines

  • Initial Response: 24-48 hours
  • Vulnerability Verification: 3 business days
  • Remediation Development: Varies based on severity and complexity
  • Public Disclosure: 30 days after remediation

Note: Complex vulnerabilities may require additional time for proper remediation.

7. Contact Information

Security Email: [email protected]

PGP Key: Download Here

Emergency Contact: +1-XXX-XXX-XXXX (For critical security incidents only)

Encryption: We encourage you to encrypt your reports using our PGP key for sensitive information.

8. Legal Protections

We will not initiate legal action against you for conducting security research in accordance with this policy. We consider activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act.

However, if your actions include activities that are not authorized by this policy, we reserve the right to take all appropriate action, including legal recourse.

9. Recognition Program

While we do not currently operate a formal bug bounty program, we believe in recognizing the valuable contributions of security researchers. With your permission, we may:

  • Add your name to our Security Hall of Fame
  • Publicly acknowledge your contribution
  • Provide a letter of recognition for your professional portfolio

We are continuously evaluating our security recognition programs and may introduce monetary rewards in the future.

10. Policy Updates

We may update this policy from time to time. The "Last Updated" date at the top of this page indicates when the most recent changes were made. We encourage you to review this policy periodically.