Hack The Box VDP — Vulnerability Disclosure Program

Introduction

Welcome to the Hack The Box VDP! We want to extend our thanks to you for keeping our platform and our users safe.

• Hack The Box Security Team

Program Highlights

• Closed Scope — Only accepts reports based on the listed scope.
• Gold Standard Safe Harbor — Adheres to Gold Standard Safe Harbor.
• Coordinated Vulnerability Disclosure Standard — Follows standard coordination practices.
• Top Response Efficiency — This program's response efficiency is above 90%.

Average Response Times:

• 2 hours average time to first response
• 2 hours average time to triage
• 1 month, 1 week average time to resolution

Scope Exclusions

The following are out of scope:

Overview

Last updated on September 8, 2025.

The following summary outlines key rules and expectations but does not substitute the official VDP Terms, which you are required to read in full before engaging in any testing activity.

Participation in this Vulnerability Disclosure Program is strictly subject to your acceptance and continuous compliance with the full VDP Terms, which are legally binding and take precedence over any summary or guidance provided here.

By initiating any testing or submitting a report, you confirm that you have read, understood, and agreed to be bound by the latest version of the VDP Terms.

Program Scope

Hack The Box authorizes vulnerability research only on systems that it directly owns and operates. Testing is permitted exclusively on assets explicitly listed as in-scope. Any activity beyond this scope is strictly prohibited and not protected by Safe Harbor.

In-Scope Assets:

• academy.hackthebox.com
• app.hackthebox.com
• labs.hackthebox.com
• enterprise.hackthebox.com
• ctf.hackthebox.com
• account.hackthebox.com
• jobs.hackthebox.com
• api.jobs.hackthebox.com
• status.hackthebox.com

All other systems, subdomains, integrations, or services—including third-party tools or unlisted assets—are out-of-scope and must not be tested.

Testing Rules (What's Allowed)

• Use only your own personal HTB account
• Respect the platform – no abuse, persistence, or lateral movement
• Minimize impact – test only to the extent required to prove risk
• Communicate respectfully and professionally
• Ask for clarification on edge cases via the HackerOne Platform
• Comply with all prohibited actions listed below

Strictly Prohibited Activities

• Testing systems or services not explicitly listed as in-scope, including unlisted subdomains, external platforms, third-party tools, and services not operated by Hack The Box.
• Accessing, interacting with, or simulating other users' accounts, data, or sessions, including mimicking customer environments or generating synthetic data that resembles real user activity.
• Submitting, storing, or including any sensitive data (e.g., credentials, cookies, tokens, logs, personal data) in reports, communications, or third-party tools.
• Performing any action—manual or automated—that disrupts, degrades, or impairs the performance, availability, or functionality of Hack The Box services or infrastructure, including:
  • DoS attacks
  • Credential stuffing, brute-force attacks, or rate abuse
  • Automated scanning, crawling, or fuzzing without prior written authorization
  • Automated account creation or script-driven interactions (bots)
• Engaging in social engineering, phishing, pretexting, impersonation, or other deceptive behaviors targeting individuals, staff, or systems.
• Attempting to physically access Hack The Box premises, equipment, infrastructure, or networks.
• Uploading credentials, tokens, or other secrets to third-party repositories, tooling platforms, pastebins, or external services.
• Violating applicable laws or regulations, or engaging in any conduct that creates legal, operational, reputational, or security risks for Hack The Box, its users, or its partners.

Valid Findings

We welcome high-impact, well-documented reports that affect in-scope assets and demonstrate a clear, real-world security impact. Focus areas include vulnerabilities that:

• Allow unauthorized access to accounts, data, or internal systems
• Break authentication or session mechanisms
• Escalate privileges or bypass user boundaries
• Exploit flawed business logic or access control

Valid examples include (but are not limited to):

• Remote Code Execution (RCE)
• SQL Injection (SQLi)
• Server-Side Request Forgery (SSRF)
• Authentication bypass or session issues
• Privilege escalation
• IDOR, XSS, CSRF
• Business logic abuse
• Unauthorized admin access

We do not accept:

• Theoretical or low-risk issues
• Duplicate or previously known bugs
• Scanner output with no proof-of-impact
• Findings listed in HackerOne's Ineligible Findings

Please ensure your submission includes clear steps to reproduce, evidence of impact, and relevant context. We prioritize quality and actionable reports.

Report Quality

Reports must be clear, complete, and reproducible.

Include:

• A concise title
• Step-by-step reproduction (URLs, roles, payloads, etc.)
• Expected vs. actual behavior
• Real-world impact
• Supporting evidence (PoC, screenshots, logs)
• Submit one report per issue (unless chaining is essential)
• Group related bugs only if they share a root cause
• First valid report gets recognition

Follow:

• HackerOne Quality Reports Guide
• Hacker101 Session: Writing Good Reports

Timelines

We aim to:

• Acknowledge valid reports within 5 business days
• Provide initial status updates within 10 business days
• Coordinate disclosure within 90 days where feasible

Safe Harbor

We align with Gold Standard Safe Harbor.

As long as you act in good faith, follow the VDP Terms, and stay within scope, we will:

• Not take legal action against you
• Not suspend your HTB account
• Affirm the research as Good Faith Security Research if questioned by a third party

Safe Harbor does not apply if you fail to comply with applicable laws or the VDP Terms.