Details

Organizations without a public Vulnerability Disclosure Program (VDP), Bug Bounty Program (BBP), or Direct Vulnerability Submission/Disclosure Process are encouraged to sign up for an Essential VDP.

HackerOne Essential VDP, a free Vulnerability Disclosure Program, helps you easily navigate the compliance-driven landscape. Acting as a digital neighborhood watch, it provides clear guidelines and a direct channel for external entities to report vulnerabilities.

What is Disclosure Assistance?

The objective of Disclosure Assistance is to help researchers report highly-impactful bugs affecting larger organizations that do not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process. Disclosure Assistance is a best-faith effort program offered by HackerOne.

When a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, HackerOne introduced the Directory to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.

Some organizations do not have well-defined methods of receiving vulnerability reports from external finders. In these situations, HackerOne will work with friendly hackers on a best-effort basis to

Verify the legitimacy of a vulnerability that meets or exceeds the Disclosure Assistance impact threshold.
Identify an appropriate contact at the affected organization.
Attempt to contact them directly.
- If successful, share the vulnerability with the organization so it can be resolved.

`Submitting to this program comes with no guarantee of action`

HackerOne will attempt contact with the impacted party for bugs that meet the following criteria:

Critical impact to an affected company/organization that does not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process.
Large userbase or societal impact (e.g., a large organization with a significant volume of user data exposure)
Examples of Critical Impact Bugs:
- SQLi
- RCE
- Information Disclosure of bulk PII (Personal Identifiable Information) data

Why does HackerOne offer Disclosure Assistance?

It's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.

In the physical world, "If you see something, say something." is a core tenet of any safe community. The same should be true online, yet far too often, good samaritans are pressured to "say nothing." Encouraging strong relationships between organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce the risk for the individual and help close this crucial gap.

How does it work, exactly?

A friendly hacker finds a vulnerability.
They search the HackerOne Directory for a published security contact method.
Attempt alternative means of contact:
- Check the company website for a security submission form.
- Use a search engine and search for how to submit a vulnerability to the company. Examples:
  - “ bug bounty program”
  - “ vulnerability disclosure program”
  - “ report vulnerability”
  - “ report security issue”
  - etc.
- Contact a relevant security or technical representative of the company directly on LinkedIn
If the hacker has exhausted their options in their attempts to contact the organization, they can request Disclosure Assistance.

Report Submissions

As part of their report submission, the hacker is required to provide information on their attempts to reach the affected organization along with the relevant vulnerability information.
HackerOne will review the report and determine if it meets the minimum criteria for Disclosure Assistance.
- Valid reports that meet the minimum criteria will be moved into triaged status.
- Invalid reports or reports that DO NOT meet the minimum criteria will be closed accordingly.
For triaged reports, HackerOne will attempt contact multiple times over 30 days.
- HackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information. Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerability information has been successfully shared with the affected organization.
- If they’d like, the point of contact can create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability. Alternatively, the point of contact can contact [email protected] for assistance on how to proceed. At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.
If no response or acknowledgment is received within 30 days, the report will be closed as informative.
As HackerOne has no control over the remediation of triaged Disclosure Assistance reports, HackerOne is unable to resolve reported bugs. These reports will be closed as informative unless the company contact directly confirms within the report itself that the bug can be closed as resolved.
HackerOne’s Mediation team does not act on mediation requests for Disclosure Assistance reports. If you have concerns about a Disclosure Assistance report, please comment within your report or contact [email protected].

Please be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ and encourage you to perform other contact attempts in parallel to our effort.

Questions?

Questions specific to a particular report should be asked within the report itself. If you need support or have questions on the Disclosure Assistance process, please contact [email protected].

What is Disclosure Assistance?

Some organizations do not have well-defined methods of receiving vulnerability reports from external finders. In these situations, HackerOne will work with friendly hackers on a best-effort basis to

Verify the legitimacy of a vulnerability that meets or exceeds the Disclosure Assistance impact threshold.

Identify an appropriate contact at the affected organization.

Attempt to contact them directly.

If successful, share the vulnerability with the organization so it can be resolved.

Submitting to this program comes with no guarantee of action

HackerOne will attempt contact with the impacted party for bugs that meet the following criteria:

Critical impact to an affected company/organization that does not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process.

Large userbase or societal impact (e.g., a large organization with a significant volume of user data exposure)

Examples of Critical Impact Bugs:

SQLi
RCE
Information Disclosure of bulk PII (Personal Identifiable Information) data

Why does HackerOne offer Disclosure Assistance?

How does it work, exactly?

A friendly hacker finds a vulnerability.

They search the HackerOne Directory for a published security contact method.

Attempt alternative means of contact:

Check the company website for a security submission form.
Use a search engine and search for how to submit a vulnerability to the company. Examples:
- “ bug bounty program”
- “ vulnerability disclosure program”
- “ report vulnerability”
- “ report security issue”
- etc.
Contact a relevant security or technical representative of the company directly on LinkedIn

If the hacker has exhausted their options in their attempts to contact the organization, they can request Disclosure Assistance.

Report Submissions

As part of their report submission, the hacker is required to provide information on their attempts to reach the affected organization along with the relevant vulnerability information.

HackerOne will review the report and determine if it meets the minimum criteria for Disclosure Assistance.

Valid reports that meet the minimum criteria will be moved into triaged status.
Invalid reports or reports that DO NOT meet the minimum criteria will be closed accordingly.

For triaged reports, HackerOne will attempt contact multiple times over 30 days.

HackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information. Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerability information has been successfully shared with the affected organization.
If they’d like, the point of contact can create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability. Alternatively, the point of contact can contact [email protected] for assistance on how to proceed. At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.

If no response or acknowledgment is received within 30 days, the report will be closed as informative.

As HackerOne has no control over the remediation of triaged Disclosure Assistance reports, HackerOne is unable to resolve reported bugs. These reports will be closed as informative unless the company contact directly confirms within the report itself that the bug can be closed as resolved.

HackerOne’s Mediation team does not act on mediation requests for Disclosure Assistance reports. If you have concerns about a Disclosure Assistance report, please comment within your report or contact [email protected].