Vulnerability disclosure policy
We welcome reports from security researchers acting in good faith. This page defines what is in scope, what we ask you to do, what we will do in return, and the safe-harbor commitment we extend to you.
Version 1.0 · Effective 2026-05-26
1. How to report
Email security@whitecapdata.com with as much of the following as possible:
- A clear description of the vulnerability and its impact.
- Step-by-step reproduction (URLs, payloads, accounts used).
- Any proof-of-concept output, screenshots, or HTTP captures.
- Your preferred handle for credit (or "anonymous").
PGP-encrypted reports are welcome — our public key is published at
/.well-known/pgp-key.asc (coming soon). If PGP is unavailable, send
the report in plain text and avoid attaching customer data.
2. Scope
The following Whitecap Data services are in scope:
whitecapdata.com— the marketing site.login.whitecapdata.com— the authentication gateway.platformadmin.whitecapdata.com— the platform-admin console.cana.whitecapdata.comand any other*.whitecapdata.comtenant subdomain we publish — to the extent the issue is in our code or configuration.
Out of scope:
- Issues in third-party services we use (report to that vendor directly).
- Best-practice findings without a demonstrated impact (e.g., missing CSP report-only header, theoretical timing attacks).
- Self-XSS or social engineering of our staff, contractors, or customers.
- Denial-of-service attacks, volumetric testing, or anything that degrades service for other users.
- Issues that require physical access to a user's device.
3. Rules of engagement
- Test only against accounts and data you own or have explicit written permission to access.
- Do not modify, exfiltrate, or destroy any data you encounter. If you accidentally access customer data, stop immediately and include that in your report.
- Use minimum necessary disruption. If your test could affect other users, contact us first.
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate (see §6 timelines).
- Comply with all applicable laws.
4. Safe harbor
If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you under the Computer Fraud and Abuse Act, the DMCA, or analogous state laws, in connection with your research. We will work with you to understand and resolve the issue.
This safe harbor applies only to your direct research activities. It does not authorize you to violate other laws (e.g., privacy laws unrelated to your own testing) or to access data belonging to other people without authorization.
5. What we will do
- Within 2 business days — acknowledge receipt of your report.
- Within 7 business days — provide a substantive response: validation status, severity assessment, and our planned remediation window.
- Throughout — keep you informed of progress at least every 14 days while remediation is in flight.
- After fix — confirm the fix is live and credit you on the acknowledgments page if you would like.
6. Disclosure timeline
Our standard request is a 90-day coordinated disclosure window from the date we confirm the report. We will work with you on shorter or longer windows if the risk profile warrants — for example, an actively exploited issue may be disclosed earlier with a fix; a complex architectural issue may need more time.
We do not currently operate a paid bug bounty. We will credit researchers and are happy to provide a reference letter for good-faith disclosures.
7. Changes to this policy
This policy may be updated as our security program matures. Material changes
will be reflected in the version number above and dated. The current version
is always the one published at
whitecapdata.com/trust/vulnerability-disclosure-policy.