programme · live
security · doc S/01

Responsible Disclosure.

We are a security firm. We expect the best of our own platform, and we welcome help finding what we missed. Here is how to report a vulnerability, what we promise in return, and the rules of engagement.

Effective1 January 2026
Last updated1 January 2026
Report tohello@whats.exposed
PGP fingerprintTODO publish

01Our promise

What you can count on if you report a vulnerability.

P/01

We will respond fast.

Acknowledgement within one business day. A real human, not an autoreply, will own your report end-to-end.

P/02

We will not threaten you.

If you act in good faith and stay within the rules below, we will not pursue or support legal action against you.

P/03

We will credit you.

Public acknowledgement (with your permission) once a fix is shipped, or anonymous credit if you prefer.

02In scope · out of scope

What this programme covers, and what it doesn't.

In scope
  • whats.exposed and any sub-domain we operate on it
  • Our delivery platform (the customer-facing portal)
  • Public APIs documented at api.whats.exposed TODO: confirm
  • Our published mobile applications, where available
Out of scope
  • Findings on customer environments, report those to the customer, not us
  • Third-party services we link to but do not operate
  • Social engineering of staff or contractors
  • Physical attacks against our offices or co-working spaces
  • Denial-of-service or volumetric / stress testing
  • Spam, missing rate-limits on non-auth endpoints, or "best-practice" cookie flags without an exploit chain
  • Reports based purely on automated scanner output without an exploit demonstration

03Rules of engagement

Stay inside these and you are protected.

  1. Test only your own data. Create your own accounts. Do not access, modify or destroy data that does not belong to you.
  2. No automated scanning at scale. Targeted, manual testing is welcomed; large-scale scans against production are not.
  3. Do not exfiltrate. Once you have proof of impact, stop. Don't pivot to other customer data or to internal systems beyond what's needed to demonstrate the issue.
  4. Do not pivot or escalate. Treat the first sign of impact as the boundary. Don't chain unrelated issues to widen access.
  5. Report promptly. Send what you have within 7 days. Don't sit on findings while you look for more.
  6. Give us time to fix. Default coordinated disclosure window is 90 days from triage; we will agree an extension on request for complex issues.
  7. No public disclosure until we have shipped a fix or the disclosure window has expired and we have not engaged in good faith.
  8. No extortion. Demands for payment in exchange for non-disclosure void this policy and are reported to the relevant authorities.

04Safe harbour

Our legal commitment to good-faith researchers.

Authorised research

If your security research is conducted in good faith and follows the rules above, we consider it authorised under the UK Computer Misuse Act 1990, the Irish Criminal Justice (Offences Relating to Information Systems) Act 2017, and equivalent legislation. We will not initiate or recommend legal action against you for this research, and we will work in good faith to make any third party affected aware that you acted in compliance with this policy.

If, at any point, you are unsure whether your testing is in scope, pause and email us first. We would much rather receive a question than an apology.

This safe-harbour does not extend to testing against systems or data that do not belong to us, nor does it override applicable law. It cannot bind third parties.

05How to report

Send it to one place. Encrypt if you can.

Email hello@whats.exposed with the subject line Security Report. Please include:

  • A clear description of the issue and impact, in plain English.
  • Affected URLs, endpoints or app builds.
  • Step-by-step reproduction, request / response, payloads, screenshots or short video.
  • Timestamps of any test traffic so our blue team can correlate.
  • Your name and how you would like to be credited (or "anonymous").

For sensitive reports we strongly prefer encrypted email. Our PGP key is below. TODO: paste real public key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: WhatsExposed Security Disclosure
Key ID: XXXX XXXX XXXX XXXX XXXX
Fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX

[ TODO paste full ASCII-armoured public key block here ]

-----END PGP PUBLIC KEY BLOCK-----

We also publish a /.well-known/security.txt at https://whats.exposed/.well-known/security.txt in line with RFC 9116.

06What to expect, SLA

Our service levels for handling your report.

Acknowledgement
A real human confirms we have received your report and tells you who is owning it.
≤ 1 business day
Initial triage
We reproduce the issue, assign provisional severity, and tell you whether it is in scope.
≤ 5 business days
Status updates
Progress notes while we are working on a fix, at minimum every two weeks until resolved.
≤ 14 days
Resolution
Critical and high severity vulnerabilities are remediated as a priority. Lower severities are scheduled.
target 90 days
Coordinated disclosure
Public write-up published, with credit (if you want it), once the fix has been deployed and customers notified where appropriate.
post-fix

07Severity & triage

How we score what you send us.

We use CVSS v3.1 as our base scoring framework, adjusted for the realistic exploitability and the business impact in our environment. Examples (non-exhaustive):

Critical
Unauthenticated remote code execution, mass account takeover, customer data exposure across tenants, signing-key disclosure.
High
Authenticated privilege escalation across tenants, IDOR exposing customer findings, persistent XSS in the platform UI, SQLi.
Medium
Single-tenant authenticated IDOR, stored low-impact XSS, SSRF without sensitive data exposure, broken session handling without takeover.
Low
Information disclosure of low-sensitivity data, missing security headers with demonstrable impact, rate-limit gaps with feasible abuse.
Informational
Best-practice deviations without an exploit, theoretical issues, scanner output without proof of impact.

08Recognition

What we offer to thank you.

  • Public credit on this page (Hall of Fame), with your handle of choice.
  • A signed thank-you note from our Head of Offensive Security.
  • whats.exposed swag for valid Medium+ findings.
  • A direct introduction to our hiring team if you are open to talking, we hire senior offensive specialists.

We do not currently run a paid bug bounty. If you require monetary compensation, please tell us up front so we can discuss whether a private engagement is appropriate.

09Hall of fame

Researchers who have helped us improve.

Listed in chronological order. Most recent at the top. Names appear with permission only, anonymous reporters are credited as "Anonymous".

— Open —
be the first
TODO populate
post-launch

10Contact

One inbox for everything security-related.

Security disclosure
What's Exposed Ltd · Security team
iHub, Westport Road
Castlebar, Co. Mayo
Ireland, F23 K162

Email: hello@whats.exposed
RFC 9116: /.well-known/security.txt
PGP: TODO publish fingerprint