Vulnerability disclosure policy

We welcome reports from security researchers acting in good faith. This page defines what is in scope, what we ask you to do, what we will do in return, and the safe-harbor commitment we extend to you.

Version 1.0 · Effective 2026-05-26

1. How to report

Email security@whitecapdata.com with as much of the following as possible:

PGP-encrypted reports are welcome — our public key is published at /.well-known/pgp-key.asc (coming soon). If PGP is unavailable, send the report in plain text and avoid attaching customer data.

2. Scope

The following Whitecap Data services are in scope:

Out of scope:

3. Rules of engagement

4. Safe harbor

If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you under the Computer Fraud and Abuse Act, the DMCA, or analogous state laws, in connection with your research. We will work with you to understand and resolve the issue.

This safe harbor applies only to your direct research activities. It does not authorize you to violate other laws (e.g., privacy laws unrelated to your own testing) or to access data belonging to other people without authorization.

5. What we will do

6. Disclosure timeline

Our standard request is a 90-day coordinated disclosure window from the date we confirm the report. We will work with you on shorter or longer windows if the risk profile warrants — for example, an actively exploited issue may be disclosed earlier with a fix; a complex architectural issue may need more time.

We do not currently operate a paid bug bounty. We will credit researchers and are happy to provide a reference letter for good-faith disclosures.

7. Changes to this policy

This policy may be updated as our security program matures. Material changes will be reflected in the version number above and dated. The current version is always the one published at whitecapdata.com/trust/vulnerability-disclosure-policy.