🔐 Security Policy

Last Updated: December 10, 2025

At What Is My Country, security is a top priority. We are committed to protecting our users' data and maintaining a secure service. This Security Policy outlines our security practices and provides guidance on reporting security vulnerabilities.

1. Our Security Commitment

We implement industry-standard security measures to protect our service and user data:

  • Secure Infrastructure: Our service runs on secure, regularly updated infrastructure
  • Data Encryption: Data in transit is protected using TLS/SSL encryption
  • Access Controls: Strict access controls and authentication mechanisms protect our systems
  • Regular Updates: We regularly update our dependencies and systems to patch known vulnerabilities
  • Security Monitoring: Continuous monitoring for suspicious activity and potential threats
  • Data Minimization: We collect only the minimum data necessary to provide our service

2. Reporting Security Vulnerabilities

We welcome and encourage security researchers to report vulnerabilities responsibly. If you discover a security issue, please follow these guidelines:

What to Report

We are interested in any security issues that could potentially affect our users or service, including:

  • Cross-Site Scripting (XSS)
  • SQL Injection or other injection vulnerabilities
  • Authentication or authorization bypasses
  • Server-Side Request Forgery (SSRF)
  • Information disclosure vulnerabilities
  • Denial of Service (DoS) vulnerabilities
  • Any other security-related issues

How to Report

Email: security@whatismycountry.com

Subject Line: [Security] Brief description of the issue

When reporting a vulnerability, please include:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and severity assessment
  • Any proof-of-concept code or screenshots (if applicable)
  • Your contact information for follow-up questions

Responsible Disclosure Guidelines

Please follow these responsible disclosure practices:

  • Do not access, modify, or delete data that does not belong to you
  • Do not perform actions that could negatively impact our service or users
  • Do not publicly disclose the vulnerability until we have had time to address it
  • Give us reasonable time to investigate and fix the issue before disclosure (typically 90 days)
  • Do not exploit the vulnerability for malicious purposes

3. Our Response Process

When you report a security vulnerability to us, here's what you can expect:

  1. Acknowledgment: We will acknowledge receipt of your report within 48 hours
  2. Initial Assessment: We will assess the vulnerability and determine its severity within 5 business days
  3. Regular Updates: We will provide regular updates on our progress in addressing the issue
  4. Resolution: We will work to fix the vulnerability as quickly as possible based on its severity
  5. Credit: With your permission, we will credit you for the discovery when we disclose the fix

4. Scope

In Scope

  • whatismycountry.com and all subdomains
  • Our JSON API endpoints
  • Our JavaScript widget
  • Any other services we officially operate

Out of Scope

The following are generally considered out of scope:

  • Social engineering attacks
  • Physical attacks against our infrastructure
  • Denial of Service attacks
  • Issues in third-party services we don't control
  • Security issues in outdated browsers or clients
  • Known issues we have already publicly disclosed

5. Security Best Practices for API Users

If you're integrating our service into your application, we recommend following these security best practices:

  • Use HTTPS: Always make API requests over HTTPS
  • Validate Data: Validate and sanitize all data received from our API
  • Rate Limiting: Implement rate limiting to prevent abuse
  • Error Handling: Handle errors gracefully without exposing sensitive information
  • Keep Updated: Stay informed about any security updates or announcements

6. Data Security

We take data security seriously and implement multiple layers of protection:

  • Minimal Data Collection: We collect only the data necessary for our service
  • Secure Storage: Data is stored securely with appropriate access controls
  • Regular Audits: We conduct regular security audits and reviews
  • Incident Response: We have an incident response plan for security breaches
  • Data Retention: We maintain clear data retention policies and securely delete data when no longer needed

7. Security Incident Response

In the event of a security incident that affects user data:

  • We will investigate and contain the incident promptly
  • We will assess the scope and impact of the breach
  • We will notify affected users as required by law
  • We will take steps to prevent similar incidents in the future
  • We will cooperate with law enforcement as appropriate

8. Third-Party Security

We carefully vet third-party services and dependencies used in our service. However, we cannot control the security of external services. Users should review the security policies of any third-party services they interact with through our platform.

9. Updates to This Policy

We may update this Security Policy from time to time to reflect changes in our practices or for legal reasons. Significant changes will be communicated through our website.

10. Questions and Contact

If you have questions about our security practices or this policy, please contact us:

Security Issues: security@whatismycountry.com

General Inquiries: support@whatismycountry.com

Website: https://whatismycountry.com

⚠️ Note: Please do not use general contact channels for reporting security vulnerabilities. Always use security@whatismycountry.com for security-related reports to ensure they receive immediate attention from our security team.

Back to Home