Protected Intake

Your NDA does not protect your employer. It protects you.

Under Ontario’s Securities Act, contractual provisions designed to silence you from reporting securities-related misconduct are void. You are protected by statute. This is the intake.

Your Protections

◆ Identity protected. We make all reasonable efforts to protect your identity. Anonymous submissions accepted through counsel.

◆ Anti-reprisal. It is an offence to terminate, demote, suspend, intimidate, or impose any penalty on an employee who reports misconduct. Employers bear the burden of proof.

◆ Civil remedies. Employees who face reprisal may seek reinstatement and two times lost pay through the courts.

◆ NDAs voided. Provisions in employment agreements designed to prevent reporting of securities-related misconduct are void under the Acts.

◆ Protections apply regardless of whether enforcement action results or whether you meet award criteria.

Protections under Ontario’s Securities Act and Commodities Futures Act. See the OSC Whistleblower Program for full details.

What Qualifies

Original information. Timely, specific, credible.

To be eligible, your information must be voluntarily provided before any request from a regulator, SRO, or law enforcement agency. It must contain sufficient facts to meaningfully assist an investigation.

Independent Knowledge

What you witnessed.

Information derived from your own experiences, communications, and observations in your employment, business, or social interactions. You saw the patch merged with a misleading commit message. You were in the room when the decision was made not to disclose. You have access to internal communications documenting the suppression.

Independent Analysis

What you found.

A critical analysis of publicly available information or data that reveals additional insight not generally known or available to the public. You identified a silent patch through commit analysis. You discovered a vulnerability that was fixed without a CVE. You mapped a downstream exposure the vendor never disclosed.

Silent Patch Evidence

What they hid.

A security-relevant code change merged without a CVE, without a security advisory, and without downstream notification. The commit message misrepresents the nature of the change. The vendor knows and has not disclosed. You have the evidence.

Suppression Evidence

What they buried.

Internal communications, triage decisions, NDA clauses, bounty platform correspondence, or audit reports that document a decision to suppress vulnerability disclosure. The finding was real. The decision to hide it was deliberate. You can prove both.

How It Works

Submit. We handle the rest.

01

Submit

Use the form below. Describe what you observed. Attach evidence if available. Anonymous submissions accepted.

02

Validate

Our scaffolding independently confirms the finding against the 52-technique taxonomy. Your information is corroborated, not relied upon alone.

03

File

Confirmed findings receive a CVE through MITRE. The evidence package is formatted for regulatory submission.

04

Deliver

The regulatory-ready package reaches the appropriate authority. Your identity is never attached unless you consent.

Report

Secure intake.

All fields are transmitted securely. Do not include materials subject to solicitor-client privilege. If you are represented by counsel, your lawyer may submit on your behalf.

You are encouraged, though not obligated, to report internally to your employer before submitting here.

Anonymous submissions: Leave the contact fields blank. If you need to provide follow-up information later, note the confirmation reference you receive after submission. We cannot contact you if you submit anonymously, but your information will still be validated and acted upon.

Whistleblower Intake Form

Type of Report *

Source of Information *

This maps to the OSC’s “original information” eligibility criteria.

Affected Ecosystem / Vendor

If you prefer not to name the vendor at this stage, describe the ecosystem (e.g. “L1 blockchain”, “authentication framework”).

Description of Findings *

Supporting Evidence

Contact (Optional)

Your identity is protected by default. Provide contact only if you wish to receive status updates or be eligible for a bounty payment.

I am providing this information voluntarily, before receiving any request from a regulator, SRO, or law enforcement agency. *

I understand this submission does not contain materials subject to solicitor-client privilege. *

I consent to Whiten Baker sharing my information with the OSC Office of the Whistleblower or other relevant regulatory authority, with my identity protected.