Whatbox Logo

Security Policy

Reporting discoveries



We value the knowledge of hackers acting in good faith to help us protect the security and privacy of our users. We encourage and reward responsible vulnerability research and disclosure. This policy explains our expectations and what you can expect from us.


When working with us according to this policy, you can expect us to:

  • Work with you to understand and validate your report, including a timely initial response to the submission;
  • Work to remediate discovered vulnerabilities in a timely manner; and
  • Work to develop a timely vulnerability publication schedule with you; and
  • Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

Ground Rules

To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:

  • Play by the rules. This includes following this policy, as well as any other referenced agreements;
  • Report any vulnerability you’ve discovered to us promptly;
  • Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
  • Use only the Official Channels to discuss vulnerability information with us;
  • Keep the details of any discovered vulnerabilities confidential until we have worked out a publication schedule, in accordance with this policy they are fixed, according to the Disclosure Policy;
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, including any proprietary information or data about an identifiable individual, such as financial data, or personal health information;
  • You should only interact with test accounts you own or with explicit permission from the account holder; and
  • Do not engage in extortion.

Safe Harbour

We consider vulnerability research that attempts, in good faith, to comply with this policy to be:

  • Authorized and with colour of right and, as such, consistent with sections 429(2) and 342.1 of the Criminal Code (and/or similar state laws);
  • Authorized to the extent that it would otherwise interfere with any rights granted to us under the Copyright Act [RSC 1985, c C-42,][including ss 3, 15 and 41 of that act], and carried out with our consent [as envisioned by sections 30.63 and 41.15];
  • Exempt from any relevant restrictions in our Terms & Conditions, and we waive those restrictions to the extent they are inconsistent with this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted for our benefit.

This policy prevails over any other inconsistent term or agreement.

We will not initiate or support any legal action against you for any vulnerability research that is consistent with this policy, or for any accidental, good faith violations of this policy. To the extent that some of your vulnerability research falls outside of this policy (e.g. if some of your research impacts out of scope systems) this policy will continue to apply with respect to any of your activities that remain compliant with it.

This policy solely operates as a safe harbour from independent potential legal obligations or liabilities. Failure to comply with this policy will disqualify you from the safe harbour it establishes, but should not be read as creating legal obligations that would not otherwise exist or extending such obligations beyond their independent scope.

You are expected, as always, to comply with all applicable laws.

While we may change this policy from time to time, such changes will not be applied retrospectively, and the safe harbour outlined here is irrevocably extended to any vulnerability research that is carried out while this policy remains in effect.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Scope, Out-of-Scope & Rewards

Due to the breadth of our infrastructure, we have divided our program into categories. Please visit the appropriate section for scope and reward information on the component you will be testing.

Scope Payouts Most recent
whatbox.ca website 18,225 USD 2024-05-17
Shared servers 7,545 USD 2024-03-27
Other infrastructure 2,350 USD 2021-09-25

Disclosure Policy

Coordinated Disclosure: You can share details of a vulnerability publicly after we have applied a fix and provided you with permission OR after 90 days from submission, whichever is sooner.