Whoop Bug Bounty
Bounty Range
$150 - $3,000
external program
Whoop Bug Bounty
At WHOOP, our mission is to unlock human performance. We exist to improve the lives of our members, not invade their lives. Like all companies providing wearable devices and health monitoring services, WHOOP manages personal and sensitive data of our members. We take privacy seriously, and understand that we have a responsibility to maintain the privacy of our members' data. As part of our "Cybersecurity as a Product" mindset we recognize that security features earn and maintain trust of our members. This Responsible Disclosure Policy demonstrates our deep commitment to maintain the privacy of our members' data. We encourage anyone who has discovered a potential vulnerability at WHOOP to report it to us, and we are committed to working with the reporter to validate and remediate vulnerabilities.
But our responsibility does not end there. As a beneficiary of open-source software (FOSS), we also recognize that security issues we find in the code, tools and software we use should be responsibly disclosed to the appropriate code maintainers and vendors.
We do not provide credentials. You are welcome to purchase or trial WHOOP in order to obtain an account.
Do not engage in attack attempts that involve Support systems such as Support Chat, Intercom, Iterable, Salesforce, etc. If you generate a ticket queue volume we may ban you from the program.
Any reports without demonstrated impact to Confidentiality, Availability and/or Integrity will not be accepted.
Do not test with accounts you do not own.
Do not commit destructive actions to accounts you do not own, this includes writes/edits/deletes.
Do not randomly fuzz into our APIs, your testing should be methodical and reproducible.
Please provide detailed reports with reproducible steps.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Whoop will make a best effort to meet the following response targets for hackers participating in our program:
Time to first response (from report submit) - 5 business days
Time to triage (from report submit) - 10 business days
We'll try to keep you informed about our progress throughout the process.
| Severity | Avg. Bounty | % of Submissions |
|---|---|---|
| Low | $150 | 25% |
| Medium | $500 | 37.50% |
| High | $1,500 | 34.38% |
| Critical | n/a | 3.13% |
Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
Public keys found on web properties are generally not accepted unless you are able to demonstrate pulling non-public information
Bypassing web page sequencing without demonstrating a successful purchase/impact will not be accepted
Credentials and/or API keys of customers found on the internet (i.e: GitHub) will generally not be accepted unless they are a WHOOP employee's credentials
Clickjacking on pages with no sensitive actions.
Unauthenticated/logout/login CSRF.
XSS without impact
Dangling DNS without impact
Subdomain takeover without impact
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Brute force attacks where the only valid submissions were the result of WayBack Machine research - this will be marked as spam
"Leaked" credentials that are only found in the WayBack machine - this will be marked as spam
Scans for S3 buckets and other assets (GitHub, Netlify, etc.) on the internet that have the word "whoop" but do not actually prove WHOOP ownership - this will be marked as spam
User credentials for whoop posted publicly by the user themselves - this will be marked as N/A
Any claim of ordering free or heavily discounted WHOOP merchandise will be marked as spam without evidence of the order actually arriving to you and a valid orderId. Illegitimate orders can sometimes be placed in our system but our logistics process will flag and cancel the order if it is not meet our expectations for a valid order.
Live Chat, Web Forms, support emails, Iterable, Intercom, Salesforce and other similar third party systems used for Support teams. If you flood the queues we may report you to HackerOne.
Do not test Sentry, Datadog, Segment, Amplitude, etc. Do not stuff the metrics/reporting systems with garbage data, this is considered destructive. Security issues of vendors should be reported to the vendor's program.
Adheres to Gold Standard Safe Harbor. Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep WHOOP and our users safe.