How WHOOP handles security vulnerabilities
At WHOOP, our mission is to unlock human performance. We exist to improve the lives of our members, not invade their lives. Like all companies providing wearable devices and health monitoring services, WHOOP manages personal and sensitive data of our members. We take privacy seriously, and understand that we have a responsibility to protect the privacy of our members’ data. We understand that secure products are instrumental in maintaining the trust that members place in WHOOP, and we strive to create innovative products that improve our members' lives.
This site provides information for researchers and security professionals.
If you are a WHOOP member and are experiencing a security issue with your account please contact Membership Services.
Reporting security issues
WHOOP openly accepts vulnerability reports for our WHOOP platform and products. If you believe you have discovered a vulnerability in a WHOOP platform or product, or if you have a security incident to report, please contact us via email at firstname.lastname@example.org or via our vulnerability disclosure form at https://www.whoop.com/security. Upon receipt of your message, we will send a reply that includes a tracking identifier. WHOOP will not engage in legal action against individuals who in good faith submit vulnerability reports through the methods listed above.
WHOOP Vulnerability Disclosure Policy
At WHOOP, we believe that vulnerability disclosure is a two-way street - both WHOOP and security researchers must act responsibly. This is why WHOOP adheres to a 90-day disclosure deadline (the “Deadline”). We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after the Deadline, or sooner if the vendor releases a fix. That Deadline can vary in the following ways:
- If a Deadline is due to expire on a weekend or U.S. public holiday, the Deadline will be moved to the next regular work day.
- Before the Deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the Deadline, we will delay the public disclosure until the availability of the patch.
- When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action - within 7 days - is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.
As always, we reserve the right to bring the Deadline forward or backward based on extreme circumstances. We remain committed to treating all vendors strictly equally. WHOOP expects to be held to the same standard.
This policy aligns with our desire to improve industry response times to security bugs, but also results in softer landings for bugs marginally over the Deadline. WHOOP calls on all security researchers to adopt disclosure deadlines in some form, and welcomes security researchers to use this policy if you find our policy compelling. Creating pressure towards reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the Internet.