Whistleblower Files works with journalists and organizations worldwide, and the security of our sources and collaborators is our top priority.
We operate multiple websites and services comprising significant lines of code. While we strive to ensure they are secure and reliable, we appreciate responsibly disclosed information regarding potential vulnerabilities or security issues with our services.
Responsible Disclosure Policy
For reporting, please contact us at [email protected]. You may also use a secure PGP/GPG key for encryption (details available upon request).
Rules
To ensure the integrity of this program and our systems, please adhere to the following:
- When creating an evaluation account for research purposes, add the “bugbounty_” prefix to your username. This applies to systems allowing user signups for evaluation purposes.
- If you encounter sensitive information (e.g., personal details, credentials), do not save, copy, store, transfer, disclose, or otherwise retain such data.
- Avoid performing social engineering, phishing, or physical security attacks targeting offices, users, or employees.
- Stay within the defined scope of this responsible disclosure program.
- Interact respectfully with our team during communications.
Failure to comply with these rules may result in removal from the program.
Note:
- We reserve the right to modify these rules or invalidate submissions at any time.
- This program may be canceled without notice.
Please submit reports to [email protected]. Do not post issues publicly on platforms such as GitHub or other forums.
What Is in Scope?
- Services available at whistleblowerfiles.com and all subdomains (e.g., *.whistleblowerfiles.com).
- Supported versions of open-source software published in our GitHub repository.
Excluded from Scope
Please do not report the following:
- Attacks requiring DNS takeover.
- Clickjacking without demonstrated impact.
- Denial-of-Service vulnerabilities caused by overloads of processing power or requests.
- Mail relay server configuration issues.
- Missing or loosely configured DNS SPF records.
- Missing DNSSEC.
- Missing Public Key Pinning headers.
- Self-XSS vulnerabilities.
- Software version disclosures.
- XSS vulnerabilities requiring legacy browsers.
What to Expect
- Send security issue details to [email protected].
- Allow up to 5 working days for our team to contact you.
- We will coordinate with you on advisory details and security fix release dates.
Disclosure
We support responsible disclosure and will work with you if you wish to publish your findings (e.g., through a blog post).
Compensation
As a non-profit organization, we are unable to provide monetary compensation for disclosed security issues. However, we will gladly give credit to individuals who responsibly disclose security vulnerabilities to us.