Report a Security Issue

Whaval LLC Vulnerability Disclosure Program

Please contact us right away if you have found any security weaknesses on Whaval.com.

All valid reports will be taken seriously, and we will work to fix any verified issues as soon as possible. Prior to submitting your report, you must read through the following guidelines, which include our main principles together with bounty program requirements and non-qualifying issues.

Section 1 – Core Principles

Whaval LLC will not pursue legal action or an investigation against you if you submit vulnerability reports strictly according to the guidelines below. We ask that you:

• Allow Reasonable Time: Give us enough time to investigate the issue and fix it before you share the report with the public.
• Respect User Privacy: You must not touch or retrieve any personal data from other users’ accounts unless they give you their explicit consent.
• Act in Good Faith: Do not cause privacy violations, service interruptions, data destruction, or disruption to others.
• Do Not Exploit the Vulnerability: Do not use or demonstrate the bug to access sensitive data or escalate risk to our infrastructure.
• Follow Applicable Laws: You must not perform any actions that go against any local, state, or federal laws and regulations.

Section 2 – Bounty Program

Whaval LLC appreciates the efforts of ethical security researchers. We may compensate monetary rewards to researchers for reporting valid and relevant vulnerability disclosures. Rewards are paid at our sole discretion based on severity, potential risk, and other operational factors.

To qualify for a potential bounty, you must:

• Comply With Our Core Principles: Strictly follow the rules outlined in Section 1.
• Report a Valid Security Bug: The issue must pose a real security or privacy risk to our systems or users. Note: Not all bugs qualify for a bounty.
• Submit Directly to Support: Do not reach out to individual Whaval employees directly via social media or personal channels.
• Report Responsibly: If you accidentally access data or cause service disruption, report it immediately without attempting to explore further.

Section 3 – Non-Eligible Submissions

The following types of issues do not qualify for bounties and should not be submitted to our security team:

• Spam, social engineering, or phishing reports not directly related to our infrastructure.
• Missing SPF/DMARC records.
• Clickjacking on non-sensitive pages.
• Rate-limiting or brute-force issues without clear, exploitable impact.
• Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks.
• Vulnerabilities requiring physical access, root access, or jailbroken devices.
• Reports involving outdated browsers or unsupported extensions.

How to Submit a Report

When reporting a vulnerability, please provide as much actionable detail as you can. Your report should include:

• Clear reproduction steps.
• The potential impact of the vulnerability.
• Any relevant screenshots, video recordings, or code snippets.