Vulnerability Disclosure Policy

Purpose

Willow takes a conscientious approach in the commitment to securing Willow’s products and services. We have opened up the opportunity for security researchers to report their found vulnerabilities so that Willow can continue to protect its customers and users in good faith.

This Vulnerability Disclosure Policy informs how an independent security researcher can report their findings to Willow, the criteria of what can be reported, rules of engagement in performing vulnerability testing activities, and the disclosure time window of when a vulnerability can be publicly disclosed.

Where the processing of your personal information is not subject to the Privacy Act or GDPR, different rules may apply under your applicable law.

Please note that we are not offering compensation for the reporting of discovered or potential vulnerabilities.

How to report vulnerabilities to Willow

When vulnerabilities or sensitive (PII) is discovered we ask that you immediately stop testing and notify Willow by sending a vulnerability report to security@willowinc.com.

The Security Team will reach out via security@willowinc.com as soon as possible with an acknowledgment email.

By sending this submission email to Willow, we note that you have read, understood and agreed with the Vulnerability Disclosure Policy in the context of Willow information systems. Please keep in mind that your report and testing methodologies must follow the scope and rules of engagement outlined in this Vulnerability Disclosure Policy.

Disclosure

We require that you do not publish or make public any vulnerabilities or sensitive data (PII) discovered. Willow is open to discussing the publication of the vulnerability once it has been remediated.

Scope

Willow’s systems and services associated with domains and subdomains are within scope. Willow’s domain is willowinc.com. Any other domain is considered out of scope.

If unsure please contact security@willowinc.com.

Rules of engagement

  • Engage in physical testing of any Willow resources
  • Disrupt Willow systems
  • Violate Willow’s Data Privacy Policy
  • Degrade Willow users’ experience
  • Destroy, manipulate, compromise, share, retain or affect the availability of Willow data
  • Inject malware into Willow systems
  • Exploit the found vulnerabilities to exfiltrate data, command line access, maneuver to other systems and establish a persistent connection in Willow systems
  • Compromise intellectual property and commercial/financial interests of any Willow stakeholders
  • Engage in social engineering or phishing attacks
  • Demand payment or rewards for reporting vulnerabilities

Please do:

  • Comply with the Vulnerability Disclosure Policy
  • Stop testing after a vulnerability is found and notify Willow immediately with a proof of concept
  • Stop testing after nonpublic data or sensitive PII is found and notify Willow immediately
  • Remove any stored nonpublic data or sensitive PII after reporting to Willow
  • Only test within the scope listed above