Bug bounty & responsible disclosure

Scope

Issues in the following surfaces are in scope:

• The GhostWhirl desktop app (macOS & Windows, latest stable release).
• ghostwhirl.com and www.ghostwhirl.com.
• Our public API endpoints under api.ghostwhirl.com.
• Authentication, token storage, and any path that would let a researcher read another user’s data.

Out of scope

• Denial-of-service, brute-force, or volumetric attacks.
• Findings from automated scanners without a working proof of concept.
• Issues in third-party services we integrate with (report those to the provider).
• Social-engineering of GhostWhirl staff or customers.
• Self-XSS, missing best-practice headers with no demonstrable impact, and known public-disclosure items within 72 hours of patch release.

Severity & rewards

We review every good-faith report. Rewards depend on severity, quality of the report, and whether a working proof-of-concept is included. Indicative ranges:

Rules of engagement

• Do not access or modify data that isn’t yours. Create a second account if you need to test authenticated flows.
• No automated scanning against production without a written allow-list from us.
• Do not publicly disclose the issue before we’ve had a reasonable time to fix it (typically 90 days).
• Respect user privacy — if you accidentally access customer data, stop and tell us.

How to report

Send a clear write-up to security@ghostwhirl.com with reproduction steps, affected URLs/app versions, and any proof-of-concept. We acknowledge reports within 2 business days and keep you in the loop as we triage and patch.