If you believe you have found a security issue that meets Whatfix’ definition of a vulnerability, please submit the report to our security team via one of the methods below:
If you are a customer:
If you are a security researcher:
Whatfix considers a security vulnerability to be a weakness in our Whatfix Digital adoption Platform or the supporting infrastructure of the Platform that could allow an attacker to impact the confidentiality, integrity, or availability of the product or infrastructure.
Note: The corporate Website of Whatfix is not in scope.
Whatfix operates a public bug bounty program for its Digital Adoption Platform via our partner, Bugcrowd. Security researchers can receive cash payments in exchange for a qualifying vulnerability report submitted to Whatfix via our bounty programs.
In order to protect our customers, Whatfix requests that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability, and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time, and the timeline will depend upon the severity of the vulnerability and the affected systems.