Bug Bounty Policy
Found a security vulnerability in Wispr Flow? This policy explains how to report it, what qualifies for a bounty, and the legal protections offered to researchers who follow responsible disclosure practices.
What to expect, and when
Commitments below apply to Critical findings only. High-severity findings receive best-effort response on the same timeline in practice, but are not contractually guaranteed. Acknowledgment or response to findings deemed Medium criticality or lower are not required or guaranteed.
Rewards
Bounty payments require a minimum severity of High. Medium, Low, and Informational findings are accepted and acknowledged, but are not eligible for monetary reward.
What's in and out of scope
Android has limited functionality compared to other clients. Core surfaces: dictation, floating bubble, transcript history, account profile, and privacy mode toggle. No in-app subscription, no language selection UI, no dictionary/snippets, no feature flags. Enterprise users have privacy mode auto-enabled and locked client-side (cannot be changed by the user).
1. Before you report
How submissions are handled — the quality bar we hold reports to, monthly limits, and how duplicates are treated. The required fields are collected in the report form below.
Submission quality & original research
Submissions must reflect original, hands-on research against Wispr Flow's production systems. Reports primarily generated by AI tools without demonstrated manual verification will be closed without review. Indicators that may result in immediate closure:
- Generic vulnerability descriptions not specific to Wispr Flow
- Fabricated or fictitious technical details (e.g., referencing technologies Wispr doesn't use)
- No evidence of actual interaction with Wispr systems
- Scanner output (Burp Suite, Nessus, Nuclei) submitted without manual analysis
- Internally inconsistent CVSS vectors
- Submissions substantially identical in structure to other reports
Submission limits
Max 5 bounty-eligible reports per calendar month. Additional submissions are queued but not eligible for bounty. Resets monthly; does not apply to High- or Critical-severity findings.
Duplicate reports
Only the first reporter of a given vulnerability is eligible for a bounty. Duplicates receive no payout. If you believe your finding is a novel variant, explain clearly how it differs.
2. Coordinate before you publish
90 days — standard disclosure window
- Avoid public disclosure until Wispr Flow has remediated the issue, or a mutually agreed disclosure date has been reached.
- Standard window: 90 days from acknowledgment. May be shortened or extended if actively exploited, or if legal/regulatory obligations require earlier disclosure.
- If you plan to publish, notify Wispr Flow at least 7 days before public disclosure. When possible, Wispr Flow will publish a coordinated advisory.
3. Good-faith research is protected
If you follow this policy and act in good faith, Wispr Flow will not initiate legal action against you. Safe harbor may be denied if testing is reckless, destructive, or violates this policy.
- Avoid unnecessary data exfiltration beyond what demonstrates impact
- Do not publicly disclose details before coordination
- Do not perform DoS or service-degrading tests
4. Terms of submission
- Include all required fields: concise summary, full CVSS 3.1/4.0 vector, CWE classification, reproducible proof-of-concept, affected systems, evidence of testing, and contact information.
Follow the process defined in this policy. Contacting Wispr Flow's founders, employees, or investors directly to bypass, escalate, or circumvent any part of this program will disqualify the submission from any reward and may void safe-harbor protection.
Frequently asked questions
Are missing CAA records eligible for a bounty?
Not on their own. Missing CAA DNS records are only in scope when combined with real certificate misissuance.
Are subdomain takeovers in scope?
Yes, for subdomains owned or managed by Wispr Flow. Subdomains not owned or managed by Wispr Flow are out of scope.
Are client-side issues eligible?
Yes — issues affecting confidentiality, integrity, or availability beyond normal user operation in the Electron, macOS, Windows, iOS, or Android clients are in scope. Client-side enforcement bypasses where server-side validation is absent are explicitly listed as high-impact.
Are Medium-severity findings bounty-eligible?
No. Bounty payments require a minimum severity of High. Medium, Low, and Informational findings are accepted and acknowledged but receive no monetary reward.
Can I use AI tools in my research?
AI tools can support your research, but submissions must reflect original, hands-on testing against Wispr Flow's production systems. Reports that are primarily AI-generated without demonstrated manual verification will be closed without review.
What if my finding is a duplicate?
Only the first reporter of a given vulnerability is eligible for a bounty. If your finding duplicates a known issue, you'll be notified and no payout will be issued. If you believe it's a novel variant, include a clear explanation of how it differs.
Is there a submission limit?
Yes — 5 bounty-eligible reports per calendar month per researcher. Additional submissions are queued but not eligible for bounty. The limit resets monthly and does not apply to High- or Critical-severity findings.
Can I test against real user accounts?
No — use only accounts you control. Describe theoretical impact rather than accessing real data.
