Responsible vulnerability disclosure

We care deeply about keeping our customers’ data safe and secure. Your input and feedback on our security is always appreciated.

Reporting an Issue

Have you discovered a security related issue that isn’t a common non-vulnerability?
Please send a report to security@whimsical.com with details like:

A summary of the problem
A PoC or breakdown of how to replicate the issue
The operating system name and version as well as the web browsers name and version that you used to replicate the issue

Here’s how the process will go from there on:

We will acknowledge your report
We will investigate the issue and may have clarifying questions
Once the issue is resolved, we will post an update along with our thanks and acknowledgement of your contribution

Note that at the moment we do not offer bug bounties other than good karma.

We are interested in any vulnerabilities related to the whimsical.com web site and application (excluding help.whimsical.com and community.whimsical.com) such as:

We’d like to ask you to search for and report vulnerabilities responsibly, with the following principles in mind:

Don’t try to access or manipulate other customers data; only test on your own account
Do not exfiltrate data from our infrastructure (including source code, data backups, configuration files)
If you obtain remote access to our system, report your finding immediately, do not attempt to pivot to other servers or elevate access
Please avoid techniques that might degrade the service for others (DoS, spamming, etc.)
Please keep the vulnerabilities secret until you’ve notified us, and we’ve had adequate time to remedy the issues