Security disclosure policy

Scope

This policy covers the following WhiteBoar-owned systems and surfaces:

• whiteboar.it — the platform marketing website
• build.whiteboar.it — the client portal and admin interface
• Client websites on *.whiteboar.it subdomains
• The hosted client portal infrastructure

Out of scope: Third-party vendors (Supabase, Vercel, Stripe) — if you find a vulnerability in one of these services, please report it directly to the vendor.

How to report

Send a description of the vulnerability to security@whiteboar.it. English or Italian preferred. PGP is not required. Please include:

• A clear description of the vulnerability
• Steps to reproduce or a proof-of-concept
• The potential impact you observed
• Any suggested remediation (optional)

Response timeline

• Acknowledgement: within 5 business days of receiving your report
• Initial triage: within 10 business days
• Resolution: depends on severity — we will keep you informed throughout the process

Safe harbor

Security researchers who act in good faith and within the bounds of this policy will not face legal action from WhiteBoar. We consider good-faith security research to be activities that do not:

• Access, modify, or delete data belonging to other users
• Disrupt production services
• Exfiltrate data beyond what is strictly necessary to demonstrate the vulnerability

Out of scope activities

The following activities are out of scope and must not be performed:

• Denial of service (DoS / DDoS)
• Social engineering of WhiteBoar staff or customers
• Physical attacks against our infrastructure
• High-volume automated scanning that impacts service availability