Categories:Cyber Security

Vulnerability Disclosure Policy

PostedWillow Cyber and Privacy Team


Willow takes a conscientious approach in the commitment to securing Willow’s products and services. We have opened up the opportunity for security researchers to report their found vulnerabilities so that Willow can continue to protect its customers and users in good faith.

This Vulnerability Disclosure Policy informs how an independent security researcher can report their findings to Willow, the criteria of what can be reported, rules of engagement in performing vulnerability testing activities, and the disclosure time window of when a vulnerability can be publicly disclosed.

Please note that we are not offering compensation for the reporting of discovered or potential vulnerabilities.

How to report vulnerabilities to Willow

When vulnerabilities or sensitive (PII) is discovered we ask that you immediately stop testing and notify Willow by sending a vulnerability report to

The Security Team will reach out via as soon as possible with an acknowledgment email.

By sending this submission email to Willow, we note that you have read, understood and agreed with the Vulnerability Disclosure Policy in the context of Willow information systems. Please keep in mind that your report and testing methodologies must follow the scope and rules of engagement outlined in this Vulnerability Disclosure Policy.


We require that you do not publish or make public any vulnerabilities or sensitive data (PII) discovered. Willow is open to discussing the publication of the vulnerability once it has been remediated.


Willow’s systems and services associated with domains and subdomains are within scope. Willow’s two domains are and Any other domain apart from these two domains is considered out of scope.

If unsure please contact

Rules of engagement

Please do not:

  • Engage in physical testing of any Willow resources
  • Disrupt Willow systems
  • Violate Willow’s Data Privacy Policy
  • Degrade Willow users’ experience
  • Destroy, manipulate, compromise, share, retain or affect the availability of Willow data
  • Inject malware into Willow systems
  • Exploit the found vulnerabilities to exfiltrate data, command line access, maneuver to other systems and establish a persistent connection in Willow systems
  • Compromise intellectual property and commercial/financial interests of any Willow stakeholders
  • Engage in social engineering or phishing attacks
  • Demand payment or rewards for reporting vulnerabilities

Please do:

  • Comply with the Vulnerability Disclosure Policy
  • Stop testing after a vulnerability is found and notify Willow immediately with a proof of concept
  • Stop testing after nonpublic data or sensitive PII is found and notify Willow immediately
  • Remove any stored nonpublic data or sensitive PII after reporting to Willow
  • Only test within the scope listed above

More articles you might like

  1. Join our mailing list

    Stay up to date with all the latest news and updates from Willow.