Skip to content
YATeam Organization
  • Home
  • Credits
  • Status
  • Verification
  • Security
  • Service Agreements

Whimsies Ltd Vulnerability Disclosure Policy

Whimsies Ltd Vulnerability Disclosure Policy

Last updated: May 14, 2025

1. Reporting Security Vulnerabilities

We welcome reports of security vulnerabilities from the community. If you believe you have found a security issue in a Whimsies Ltd product or service, please contact us at:

  • Email: [email protected]
  • PGP: [PGP public key available at OpenPGP]

Please include as much detail as possible, including:

  • Product or system affected
  • Vulnerability description and potential impact
  • Reproduction steps or proof-of-concept (if applicable)

We encourage good-faith reports and will not pursue legal action against security researchers who follow this policy.

2. Scope

This policy applies to:

  • All currently supported products and services of Whimsies Ltd
  • All open source projects actively maintained by Whimsies Ltd

3. Our Commitment

Upon receiving a vulnerability report, we will:

  1. Acknowledge receipt within 5 business days
  2. Provide regular status updates during the investigation
  3. Work to validate the issue and resolve it within 90 days (or sooner if critical)
  4. Credit the reporter (if desired) in our security advisory

4. Disclosure Timeline

  • We follow a coordinated disclosure process.
  • We ask reporters to give us a reasonable time to fix the vulnerability before public disclosure.
  • If a CVE ID is required, we will assign one or work with the appropriate CNA.

5. Out of Scope

The following are typically out of scope for this policy:

  • Denial-of-Service without meaningful security impact
  • Social engineering or phishing of Whimsies Ltd employees or users
  • Vulnerabilities in third-party services unless maintained by Whimsies Ltd

6. Legal Safe Harbor

If you comply with this policy in good faith, Whimsies Ltd commits not to initiate civil or criminal legal action against you.
We acknowledge that security testing, even when well-intentioned, may technically contravene certain provisions of the Computer Misuse Act 1990 (UK), particularly Sections 1 and 3.
However, we consider such activity authorized and consented within the scope of this policy, and therefore not unlawful under CMA 1990.

7. Platform Testing and Authorization

If your research requires testing against live or production systems, please ensure that such testing does not disrupt platform availability or user experience.

If necessary, please contact us in advance. Upon review and risk assessment, we may authorize testing within a defined and limited scope. In such cases, we commit not to pursue legal action, provided that you act in good faith and within the agreed scope.

Please note that all activities must comply with applicable laws of the United Kingdom.

Categories

  • No categories
YATeam VerificationYATeam 10000000

Terms
Abuse
Theme by Colorlib Powered by WordPress