Details

Program Rules

Do not test on production (https://app.hex.tech). For access to the bug bounty instance, please email bug-bounty at our domain, and provide your HackerOne handle.
Do not message support chat on https://app.hex.tech.
Please provide detailed reports, along with attack scenario. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
Only interact with accounts you own or with explicit permission of the account holder.

Introduction

Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!

Program Highlights

Open Scope: Accepts reports for all owned assets based on impact, even if not listed in scope.
Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.
Top Response Efficiency: This program's response efficiency is above 90%.

Average time to first response: 17 hours
Average time to triage: 1 day, 21 hours

Focus Areas

Cross-tenancy (cross-workspace) data leakages
Broken access controls
Container escapes
Remote code execution (excluding kernel environments)
XSS on core app domain (not in cell outputs)
AI security impacting customer data
Input sanitization
Hex API

Out of Scope

HackerOne Core Ineligible Findings
Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access
JavaScript execution on cell output domains (*.hexoutputs.tech)
Access to product features from a different tier
User subscription upgrade or cancel flow
Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability

Testing Notes

The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.

Thank you for helping keep Hex Technologies and our users safe!

Program Rules

Do not test on production (https://app.hex.tech). For access to the bug bounty instance, please email bug-bounty at our domain, and provide your HackerOne handle.

Do not message support chat on https://app.hex.tech.

Please provide detailed reports, along with attack scenario. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).

Only interact with accounts you own or with explicit permission of the account holder.

Program Highlights

Open Scope: Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor: Adheres to Gold Standard Safe Harbor.

Top Response Efficiency: This program's response efficiency is above 90%.

Average time to first response: 17 hours
Average time to triage: 1 day, 21 hours

Out of Scope

HackerOne Core Ineligible Findings

Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access

JavaScript execution on cell output domains (*.hexoutputs.tech)

Access to product features from a different tier

User subscription upgrade or cancel flow

Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability

Testing Notes

Thank you for helping keep Hex Technologies and our users safe!