Legal

Responsible Disclosure Program

April 27, 2026

RESPONSIBLE DISCLOSURE PROGRAM

Version: 1.1.0 Last Updated: April 27, 2026 Effective Date: April 27, 2026

Our Commitment to Security

Whir Inc. ("Whir," "we," "us") values the security research community and recognizes that the vigilance of independent researchers helps keep our users safe. This Responsible Disclosure Program describes how to report a security vulnerability you discover in the Whir platform, what you can expect from us in return, and the safe-harbor commitments we make to good-faith researchers.

This document is part of, and governed by, our Privacy Policy and Terms of Service. To the extent of any conflict, those documents control on questions outside the scope of vulnerability disclosure.

In Short: If you find a security issue in Whir, email security@getwhir.com, follow the rules below, and we'll work with you in good faith. We don't currently pay bounties, but we appreciate your help and we won't pursue legal action against good-faith researchers who follow this policy.

TABLE OF CONTENTS

  1. Scope
  2. How to Report a Vulnerability
  3. What to Include in Your Report
  4. What You Can Expect from Whir
  5. Rules of Engagement
  6. Out of Scope
  7. Safe Harbor
  8. Public Disclosure
  9. Recognition
  10. Bounty / Compensation
  11. Responsible Use of AI
  12. Updates to This Program
  13. Contact

1. SCOPE

1.1 In-Scope Targets

This program applies to the following Whir-operated assets:

1.2 In-Scope Vulnerability Categories

We are particularly interested in the following categories:

  • Authentication and authorization flaws (account takeover, privilege escalation, broken access controls);
  • Injection vulnerabilities (SQL, NoSQL, command, LDAP, etc.);
  • Server-side request forgery (SSRF);
  • Cross-site scripting (XSS), particularly stored or DOM-based;
  • Cross-site request forgery (CSRF) on sensitive actions;
  • Insecure direct object references (IDOR);
  • Sensitive data exposure (PII leaks, secrets in code or responses);
  • Logic flaws that affect user safety, business approval workflows, or content moderation;
  • Vulnerabilities in our handling of user-submitted content;
  • Bypasses of platform features intended to protect users (e.g., anonymity bypasses on anonymous submissions, business verification bypasses).

If you're not sure whether something is in scope, send it in — we'd rather hear about it than not.

2. HOW TO REPORT A VULNERABILITY

Send vulnerability reports to security@getwhir.com.

Please use a clear subject line such as [Security Report] <brief description>.

If your report contains sensitive information, you may request our PGP key by emailing the address above. We will provide one for encrypted communications.

Do not report vulnerabilities through public channels (Twitter/X, public Discord, GitHub issues, social media), to general support email addresses, or to individual employees' personal accounts. These channels are not monitored for security reports and reporting through them may result in delayed response or unintentional public disclosure.

3. WHAT TO INCLUDE IN YOUR REPORT

A useful report includes:

  • Summary of the issue in one or two sentences;
  • Affected component (specific URL, endpoint, app screen, or platform);
  • Severity assessment in your view (low / medium / high / critical), with reasoning;
  • Reproduction steps detailed enough that we can reproduce the issue independently;
  • Proof of concept (a screenshot, video, sample request, or minimal code) demonstrating the issue, without exfiltrating user data beyond what is necessary to demonstrate;
  • Impact — what an attacker could do if this issue were exploited;
  • Suggested mitigation if you have one (optional);
  • Your contact information if you'd like a response (anonymous reports are accepted but we can't follow up with you).

We do not require a particular format, but the more information you provide, the faster we can validate, fix, and (if applicable) credit your work.

4. WHAT YOU CAN EXPECT FROM WHIR

When you submit a report in good faith and following this policy, we commit to:

  • Acknowledge receipt of your report within 5 business days.
  • Provide an initial assessment within 21 business days of receipt, including whether we are accepting the report, declining it (with reasoning), or need more information.
  • Keep you informed of progress at reasonable intervals while the issue is open, and at minimum send a status update at least once every 30 calendar days until the report is closed.
  • Notify you when the issue is resolved, where you have provided contact information.
  • Treat you with respect. We assume good faith on your part, and we appreciate your help.
  • Not pursue legal action against you for good-faith research conducted in accordance with this policy (see Section 7, Safe Harbor).

We are a small team. The timeframes above are upper bounds — we will often respond faster, but we won't always. For critical issues that pose immediate risk to users (data exposure, account-takeover at scale, payment-flow compromise, or similar), please clearly mark your report as [CRITICAL] in the subject line. Critical reports are prioritized and we aim to acknowledge them within 2 business days.

5. RULES OF ENGAGEMENT

To stay within this program's safe harbor, you agree to:

  1. Make a good-faith effort to avoid privacy violations, data destruction, and service interruption. Test only against your own accounts or accounts you have explicit permission to test against.
  2. Stop testing and report immediately if you encounter any user data (personal information, content from other users, payment information) that is not your own. Do not view, save, copy, transfer, or further access such data beyond the minimum necessary to report the issue.
  3. Do not attempt to access, modify, or destroy data belonging to other Whir users, businesses, or Whir itself beyond what is strictly necessary to demonstrate a vulnerability.
  4. Do not use social engineering (phishing, vishing, smishing) against Whir staff, users, businesses, or any third parties.
  5. Do not perform physical attacks against Whir's office, equipment, or personnel.
  6. Do not perform denial-of-service (DoS) testing, resource exhaustion attacks, or volumetric attacks. Functional testing of rate limits in good faith is acceptable, but anything that could degrade service for users is not.
  7. Do not test third-party services Whir relies on. Whir uses a number of third-party providers for infrastructure, payments, analytics, and other services; the current list is reflected in our Privacy Policy. Report findings about those services directly to the respective vendors, not to Whir.
  8. Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it (see Section 8).
  9. Comply with all applicable laws in conducting your research.
  10. Use only your own accounts for testing. Do not test against accounts you do not own without explicit permission.

6. OUT OF SCOPE

The following are not considered security vulnerabilities for purposes of this program, and reports about them will generally be closed without action:

  • Issues already known to Whir or already disclosed by another researcher;
  • Theoretical vulnerabilities without a working proof of concept;
  • Self-XSS that requires the victim to paste payloads into their own browser console;
  • Missing security headers that have no demonstrable impact (e.g., missing X-Frame-Options on pages that don't perform sensitive actions);
  • Missing best-practice configurations (e.g., absence of HSTS preloading, DNSSEC, CAA records) without demonstrable exploit;
  • Reports based on outdated software versions without a specific vulnerability demonstrated against Whir;
  • Vulnerabilities in third-party services Whir relies on for infrastructure, payments, analytics, or similar functions — please report these directly to the respective vendors. The current list of third parties Whir uses is reflected in our Privacy Policy.
  • Social engineering, phishing, or physical attacks against Whir or its users;
  • Denial-of-service attacks or any attack designed to degrade availability;
  • Brute-force attacks against authentication, password reset flows, or rate limits;
  • Issues requiring full physical access to a victim's unlocked device;
  • Open redirects without demonstrable impact;
  • Email spoofing or SPF/DKIM/DMARC findings without exploit;
  • Clickjacking on pages without sensitive actions;
  • Reports generated solely by automated scanners without human analysis or working proof of concept;
  • Issues in beta, staging, or development environments unless they demonstrate a vulnerability that also affects production;
  • Findings related to user-submitted content that violate our Terms of Service but do not exploit a security flaw — these should be reported through normal moderation channels at contact@getwhir.com.

If you're unsure whether your finding is in scope, report it anyway with your reasoning. We'd rather receive a borderline report than miss a real issue.

7. SAFE HARBOR

Whir will not pursue legal action against you, or report you to law enforcement, for security research conducted in good faith and in accordance with this policy.

Specifically, we agree that good-faith research consistent with this Responsible Disclosure Program:

  • Does not violate our Terms of Service;
  • Is authorized for purposes of any applicable anti-circumvention laws (such as the U.S. Computer Fraud and Abuse Act and DMCA Section 1201) to the extent we have authority to grant such authorization;
  • Does not breach any agreement you may have with Whir.

This safe harbor applies only to the extent your activities comply with this policy. It does not waive Whir's rights against bad-faith activity, including extortion, public disclosure before a fix, exfiltration of user data, or activity that goes beyond what is reasonably necessary to demonstrate a vulnerability.

If a third party brings legal action against you for activities conducted in compliance with this policy, we will make reasonable efforts to make it known, where appropriate, that your actions were authorized under this program.

Important: This safe harbor is offered by Whir on Whir's own behalf. It does not bind third parties whose systems your testing might also touch (such as our cloud or service providers). You are responsible for staying within the scope defined in Section 1 and the rules in Section 5.

8. PUBLIC DISCLOSURE

We ask that you do not publicly disclose details of a vulnerability — including via blog posts, conference talks, GitHub repositories, or social media — until:

  • A fix has been deployed, or
  • 90 days have passed since you reported the issue, whichever comes first, and
  • You have coordinated the disclosure timing with us in advance.

For unusually severe issues that pose immediate risk to users, we may ask for additional time and will explain why. For low-severity issues that we choose not to fix (e.g., accepted risk), we may agree to earlier disclosure.

If you intend to write up or publish your findings, please share a draft with us in advance so we can confirm the technical details are accurate and the disclosure does not enable active exploitation.

9. RECOGNITION

With your permission, we may publicly thank researchers who help us improve security. If you would like to be credited, please tell us in your report:

  • Your name or handle as you would like it to appear;
  • A link (e.g., personal website, GitHub, X/Twitter, LinkedIn), if you'd like one displayed;
  • Whether you prefer to be credited only after the fix is deployed.

If you prefer to remain anonymous, that's fine — we will not name you publicly without your permission.

We may maintain a "Security Researchers Hall of Fame" page in the future. As of the effective date of this policy, no such page exists; we will update this section if and when we create one.

10. BOUNTY / COMPENSATION

Whir does not currently operate a paid bug bounty program. We do not pay monetary compensation for vulnerability reports at this time.

We may introduce a paid program in the future as the company grows. If we do, it will be governed by a separate bounty program policy, and reports submitted before that program's launch will not be retroactively eligible for bounty payments.

For now, our thanks come in the form of:

  • A prompt, respectful response to your report;
  • Public credit (with your permission) when the issue is fixed;
  • Safe-harbor protection for good-faith research (Section 7);
  • The knowledge that you helped make the platform safer for users.

11. RESPONSIBLE USE OF AI

This section describes how Whir uses artificial intelligence and machine learning ("AI/ML") today, how we think about future use, and how AI/ML interacts with this Responsible Disclosure Program.

11.1 Current Use of AI

As of the effective date of this policy, Whir does not integrate AI or machine-learning models into the user-facing Services. SmartVision (described in our Privacy Policy §6) is an on-device text recognition feature; it runs locally on your device and does not send images, image data, or model inputs to Whir or any third-party AI service.

We do, however, use AI tools internally to help build, test, and operate the Services — for example, AI-assisted coding tools used by our engineers. These tools may process the source code, configuration, and similar engineering data of the Services. They do not process Whir users' personal data as part of normal product development.

11.2 Future Use of AI

Whir may, in the future, integrate AI/ML capabilities into user-facing features. Examples could include automated content moderation, deal categorization, business-listing enrichment, recommendation features, conversational interfaces, or similar capabilities. If and when we introduce user-facing AI features, we will:

  • Update this policy and our Privacy Policy to describe what the feature does, what data it processes, and which AI providers (if any) we rely on;
  • Apply the same data-protection standards to those features that apply to other parts of the Services (Privacy Policy §§ 4–8);
  • Disclose any third-party AI/ML providers as sub-processors in our Privacy Policy where they process personal data on Whir's behalf;
  • Avoid using AI/ML to make decisions that produce legal or similarly significant effects about a User without appropriate human review and the rights afforded by applicable privacy law;
  • Not use User-submitted Content to train third-party AI models without disclosure and, where required by law, consent.

11.3 AI/ML in Internal Operations

When Whir uses AI tools internally (for engineering, content moderation, customer support drafting, analytics, or similar internal purposes), we apply the same care to AI tools that we apply to other vendors. Specifically:

  • We do not feed users' personal data into third-party AI tools that retain the data for training their models, except where the tool is a contracted sub-processor disclosed in our Privacy Policy;
  • We review the data-handling practices of AI tools before adopting them for any work that touches personal data;
  • We prefer AI tools that offer enterprise-grade privacy controls (zero data retention, no training on customer inputs) for any work that could touch users' personal data.

11.4 AI/ML Vulnerabilities Are In Scope

If you discover a vulnerability that arises from how Whir uses AI/ML — whether in a future user-facing feature, an internal tool that touches user data, or a model deployed by Whir — that vulnerability is in scope under this Responsible Disclosure Program. Examples of categories we are interested in:

  • Prompt injection or jailbreak attacks on Whir-deployed models that could leak user data, bypass content moderation, or take unauthorized actions;
  • Model output that consistently exposes personal data, secrets, or internal configuration;
  • Data leakage between users through shared AI features (e.g., a model surfacing one User's data in a response to another User);
  • Bypasses of automated content moderation that allow prohibited Content to be published;
  • Adversarial inputs that cause Whir-deployed AI features to take harmful actions (e.g., approving submissions that should be rejected, mis-classifying Businesses);
  • Any other AI/ML-specific issue that creates risk to users, businesses, or the integrity of the Services.

11.5 Researcher Conduct With AI/ML

When researching AI/ML aspects of Whir, the same Rules of Engagement (Section 5) apply. In particular:

  • Do not exfiltrate other users' data through prompt-injection or model-extraction techniques. If you can demonstrate that data leakage is possible, stop and report — do not continue to harvest data;
  • Do not attempt to extract or reconstruct proprietary models or training data beyond what is necessary to demonstrate a vulnerability;
  • Do not use AI tools to generate large volumes of automated reports. We value human-analyzed reports; output from AI scanners without manual validation is treated under Section 6 (Out of Scope) like any other unfiltered scanner output;
  • Be specific about what is AI-related in your report so we can route it appropriately. AI/ML issues often require different remediation than traditional software vulnerabilities.

If you have concerns about how Whir uses AI/ML that are not security vulnerabilities (for example, concerns about bias in automated moderation, data-handling questions, or general policy concerns), please send those to contact@getwhir.com rather than to security@getwhir.com. We welcome both kinds of feedback, but routing them appropriately helps us respond faster.

12. UPDATES TO THIS PROGRAM

We may update this Responsible Disclosure Program from time to time. The current version is always available at getwhir.com/legal/responsible-disclosure (or wherever this document is hosted).

Material changes will be communicated by updating the "Last Updated" date at the top of this document. We recommend reviewing this policy before submitting a report to confirm the current scope and rules.

13. CONTACT

For all matters related to this Responsible Disclosure Program:

Security reports: security@getwhir.com

For questions about this policy that are not themselves vulnerability reports, the same address works.

For unrelated inquiries: