Home
/
Responsible Disclosure

Responsible Disclosure

Last updated November 2025

  1. Collection and use of personal information
  2. Our website
  3. When personal information is shared
  4. Security of personal information
  5. Data subject rights
  6. Privacy policy updates
  7. Artificial Intelligence
  8. Contact us
This page explains how to report security issues to Willful in a responsible way. Please also review our Privacy Policy at https://www.willful.co/privacy to see how we handle the information you share.

If you are a Willful customer

If you suspect your account has been compromised or notice suspicious activity, contact our support team right away at support@willful.co. Your issue will be investigated immediately and thoroughly.








If you are a security researcher

Thank you for helping keep Willful secure. We value your expertise and ask that you follow this policy when reporting vulnerabilities.


How to submit a report

Use our web form below. Before you start, make sure you understand our scope, rules, and service level agreements.

Scope of the program

In scope

These public assets are in scope for rewards and recognition:
willful.co (marketing site)
app.willful.co (core web app)
pro.willful.co (Willful for Professionals)

Out of scope

Please do not report issues in:
Any other Willful subdomain or internal service
Non-exploitable issues such as cosmetic bugs or missing security headers that cannot be exploited
Denial of service testing against our infrastructure
Third party services we integrate with unless we explicitly invite testing

Program rules

To participate, you must follow these rules in good faith:
Use only test accounts you control when experimenting; indicate which accounts you are using.
Provide a clear description, reproduction steps, and proof of concept.
Avoid testing on production data; use test accounts exclusively.
Do not perform destructive testing or violate user privacy.
Do not run automated scans without prior approval.
Do not test physical security, target employees, or employ social engineering techniques (phishing, spear‑phishing, pretexting, etc.).
Only the first valid reporter for each issue will be credited.
Refrain from publicly disclosing vulnerabilities until a fix is deployed or coordinated with Willful.

H3: Prohibited behaviours

We will report the following to the appropriate authorities and may pursue legal action:
Accessing or modifying other people’s data.
Executing denial of service attacks or degrading service.
Testing against third‑party services without permission.
Distributing malware or similarly harmful software.
Any activity that violates applicable laws.

Rewards and recognition

We do not offer cash rewards. Instead we give fame to our security researchers. Every valid report earns a spot on our Security Researchers Hall of Fame with your name or handle and a short bio.

If your report is significant enough, in addition to hall of fame recognition, we will make a donation to one of the following charities on your behalf:

  • Save the Children
  • Sick Kids
    Canadian Cancer Society
If you prefer to remain anonymous, please let us know in your report.

Legal safe harbour

As long as you follow this policy and act in good faith we will not pursue legal action against you. Please stay within scope and avoid destructive or privacy violating actions. This policy is governed by Ontario law.

Data handling and privacy

We treat your submissions with care:
Confidentiality: Only our security team sees your report until the fix is live
Retention: In line with Canadian privacy laws (PIPEDA)
Disclosure: We do not publish technical details until after fixes are deployed and credit is given

8.  Contact us

If you require more information or clarification on our privacy policy, please do not hesitate to contact our Privacy Officer at support@willful.co.