What we hold ourselves to.
Standards are what remain when no one is watching. These are the commitments Whiten Baker makes to every client, every platform, and every researcher we work alongside. They are non-negotiable.
Credibility is the only currency in this industry that compounds.
A vulnerability researcher’s reputation is built one finding at a time and can be destroyed by one bad submission. The standards on this page exist because the firm’s credibility and its clients’ trust are the same asset. We protect both by holding ourselves to rules that are stricter than any platform requires.
Six Rules.
No Exceptions.
No Negotiation.
Every rule on this page was written because something went wrong somewhere. Not here. We intend to keep it that way.
Honest Severity.
CVSS is scored to the bug, not to the payout. A 4.3 is called a 4.3. A 9.8 is called a 9.8. We do not inflate severity to chase bounties, and we do not deflate to avoid difficult conversations with vendors.
In Practice
Every report includes a CVSS 3.1 breakdown with each vector component explained. If we cannot justify a score to a skeptical triager, we lower it before submission.
Proof Over Theory.
We do not submit theoretical vulnerabilities. Every finding that leaves this firm has a working proof of concept, a structured claim with all five fields populated, and at least one category of independent evidence.
The Five-Field Claim
Vulnerability type. Precise preconditions. Exact attacker action. Expected vulnerable behavior. Security boundary crossed. If any field reads “unknown,” the finding is not ready to ship.
Disclosure.
We file CVEs directly with MITRE. We do not depend on platform triage queues to administer the identity of our findings. We do not wait for vendor permission to publish severity assessments the public is entitled to know.
Responsible disclosure means giving the vendor time to fix. It does not mean giving them the power to suppress.
Timeline
90 days from initial report. Extensions granted for active remediation, not for silence.
The Kill Standard.
Every finding survives three adversarial passes before it ships.
Findings that die in the kill-loop are documented. A finding killed with evidence is progress, not failure.
Why We Document the Dead
A killed finding prevents reinvestigation of the same dead end in future sessions and builds institutional knowledge about what a target’s architecture actually permits.
What We Will Not Report.
- Missing security headers (CSP, HSTS, X-Frame-Options)
- GraphQL introspection alone
- Self-XSS
- Open redirect without a chain
- SSRF with DNS callback only
- Logout CSRF
- Missing cookie flags alone
- Rate limiting on non-critical forms
- Banner disclosure without a working exploit
- Session not invalidated on logout
These are the findings that waste triager time and damage researcher credibility.
The Chain Exception
An open redirect alone is worthless. An open redirect chained with OAuth code theft is account takeover. We report chains, not components.
Client Confidentiality.
Engagement details, findings, and client identity are confidential unless the client explicitly authorizes disclosure. We do not use client names in marketing without permission.
Trust is directional. The client trusted us with access. We do not convert that trust into publicity without their explicit, written consent.
CVE Disclosure
CVEs filed against open-source projects are disclosed per standard timelines. CVEs arising from private engagements follow the client’s disclosure preferences.
minimum
claim
timeline
severities
filing