Temporary rate limit
Due to an increase in invalid reports, we are temporarily introducing the following changes to minimize the burden on our engineering team:
- Reports will be triaged on Monday each week, rather than 7 days a week.
- We will triage no more than two reports per researcher each week.
Security is core to our values, and we value the input of hackers acting in good faith to help us maintain a high standard for the security and privacy for our users. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
When working with us according to this policy, you can expect us to:
- Work with you to understand and validate your report, including a timely initial response to the submission;
- Work to remediate discovered vulnerabilities in a timely manner; and
- Work to develop a timely vulnerability publication schedule with you; and
- Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.
To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
- Play by the rules. This includes following this policy, as well as any other referenced agreements;
- Report any vulnerability you’ve discovered to us promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Keep the details of any discovered vulnerabilities confidential until we have worked out a publication schedule, in accordance with this policy they are fixed, according to the Disclosure Policy;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, including any proprietary information or data about an identifiable individual, such as financial data, or personal health information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
We consider vulnerability research that attempts, in good faith, to comply with this policy to be:
- Authorized and with colour of right and, as such, consistent with sections 429(2) and 342.1 of the Criminal Code (and/or similar state laws);
- Authorized to the extent that it would otherwise interfere with any rights granted to us under the Copyright Act [RSC 1985, c C-42,][including ss 3, 15 and 41 of that act], and carried out with our consent [as envisioned by sections 30.63 and 41.15];
- Exempt from any relevant restrictions in our Terms & Conditions, and we waive those restrictions to the extent they are inconsistent with this policy; and
- Lawful, helpful to the overall security of the Internet, and conducted for our benefit.
This policy prevails over any other inconsistent term or agreement.
We will not initiate or support any legal action against you for any vulnerability research that is consistent with this policy, or for any accidental, good faith violations of this policy. To the extent that some of your vulnerability research falls outside of this policy (e.g. if some of your research impacts out of scope systems) this policy will continue to apply with respect to any of your activities that remain compliant with it.
This policy solely operates as a safe harbour from independent potential legal obligations or liabilities. Failure to comply with this policy will disqualify you from the safe harbour it establishes, but should not be read as creating legal obligations that would not otherwise exist or extending such obligations beyond their independent scope.
You are expected, as always, to comply with all applicable laws.
While we may change this policy from time to time, such changes will not be applied retrospectively, and the safe harbour outlined here is irrevocably extended to any vulnerability research that is carried out while this policy remains in effect.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Scope, Out-of-Scope & Rewards
Due to the breadth of our infrastructure the security program has been divided categorically. Please visit the appropriate section for rules and reward information on the component you will be testing.
|whatbox.ca website||12,375 USD||2021-10-23|
|Shared servers||6,995 USD||2021-11-15|
|Other infrastructure||2,350 USD||2021-09-25|
Official Communication Channels
Coordinated Disclosure: A researcher can share details of the vulnerability after a fix has been applied and the program owner has provided permission to disclose, OR after 90 days from submission, whichever is sooner;