Security Vulnerability Report Form
This form is used by researchers and technical teams who wish to report security vulnerabilities or technical weaknesses on our platform.
Download the form
After filling out and signing the form, you can scan it and send it to support@whoisnextapp.com.
How to fill it out?
Purpose of the form
This form is intended for reporting technical security vulnerabilities (unauthorized access, data exposure, authentication bypass, business logic weakness, etc.) under the Security Vulnerability Disclosure Policy. It is not used for general support, account/password requests, content complaints, or requests from official authorities; in those cases, please use the relevant channels.
Fields to be completed
| Section | Description |
|---|---|
| 1. Reporter information | Name/surname or pseudonym, email (required), preferred language. WIN account is optional for follow-up and appreciation reward. |
| 2. Summary title | Describe the vulnerability in one sentence. |
| 3. Affected asset | Web / mobile / API; domain, application version, or endpoint; if possible, screen or flow. |
| 4. Vulnerability type | Check the relevant boxes (authorization, session, data exposure, business logic, API, etc.). |
| 5. Step-by-step reproduction | Write numbered steps on how to reproduce the vulnerability. |
| 6. Expected vs actual behavior | Compare what the system should do with what it does. |
| 7. Impact and exploitability | Worst-case scenario and under which conditions it can be exploited. |
| 8. Evidence | Minimum level: screenshot, short video, or minimal PoC. Must not include personal data; follow the data minimization principle. |
| 9. Suggested fix | Optional. |
| 10. Sensitive information | If there are tokens, test accounts, etc., submit them in a separate/encrypted file; in this field you may write only "Submitted in a separate encrypted file". |
| 11. Good faith statement | Confirm that you complied with policy rules (do no harm, data minimization, responsible disclosure). |
| 12. Date and signature | Electronic signature is sufficient; wet signature is requested only if specifically required. |
Documents to attach
- Evidence: You can send screenshots, short videos, or minimal PoC as email attachments; indicate in the form as "Attachment: ...".
- Sensitive information (access token, test account, logs): If possible, provide in a separate file and encrypted; share the password via a separate message or channel.
- No additional document is mandatory; minimum evidence and reproducible steps are sufficient.
Submission and important notes
- Submission: Fill out and scan the form, then send it by email to support@whoisnextapp.com. Preferably, encrypted (PGP) communication may be used.
- Acknowledgment of receipt: Target within 3 business days; initial technical assessment: target 7-14 business days.
- Policy compliance: DDoS, social engineering, bulk data downloading, and early public disclosure are prohibited. You declare that you conducted research in good faith, with minimal steps, and without harming user data.
- For detailed rules and scope, read the Security Vulnerability Disclosure Policy.