Vulnerability Disclosure Guidelines

Our approach to responsible research

Hackrate was built on the belief that ethical security research strengthens the entire digital ecosystem. These guidelines define how responsible vulnerability disclosure should take place across our platform and describe the shared expectations between Ethical Hackers and Program Sponsors.

Ethical Hackers are encouraged to act responsibly and within scope, and Program Sponsors are expected to respond constructively and transparently. Together, both sides form a partnership grounded in professionalism, respect, and integrity.

Responsibilities of Ethical Hackers

When participating in any Hackrate program, Ethical Hackers must always follow the rules and boundaries published on the program’s page. These define which systems, domains, or applications may be tested and what methods are prohibited. If any doubt exists about whether a target or technique is allowed, clarification should be requested through the Hackrate portal before proceeding.

Ethical Hackers are required to avoid activities that could disrupt production environments, degrade performance, or result in data loss. Testing should be limited to what is necessary to demonstrate the vulnerability and must never include accessing or modifying personal, financial, or confidential information belonging to users or customers.

Reports must be written clearly and submitted exclusively through the Hackrate platform. A complete submission typically includes the affected target, a concise description of the issue, step-by-step reproduction instructions, expected versus actual results, and a proof of concept or evidence where appropriate. Clarity and reproducibility significantly accelerate triage and resolution.

Public disclosure of a vulnerability should occur only after the Program Sponsor has resolved the issue or explicitly authorized publication. Ethical Hackers who follow these principles are protected under Hackrate’s Safe Harbor provisions.

Responsibilities of Program Sponsors

Program Sponsors, who operate vulnerability disclosure or bug bounty programs through Hackrate, also carry specific responsibilities. They should review new submissions promptly, acknowledge receipt, and maintain an open line of communication with the Ethical Hacker throughout the triage and remediation process.

Sponsors are expected to evaluate each report fairly and consistently, focusing on accuracy, reproducibility, and real-world impact. Once verified, the Sponsor should prioritize timely remediation and, when applicable, apply rewards or recognition according to its published program policy.

Professional courtesy is essential: Ethical Hackers who act in good faith should never face intimidation, legal threats, or retaliation for their participation. A successful program treats every submission as an opportunity to improve security rather than as a nuisance.

Safe Harbor for Ethical Hackers

Hackrate stands behind researchers who act responsibly. If you comply with these guidelines and the scope of a Hackrate program:

• Your testing will be treated as authorized research by Hackrate and the Program Sponsor.

• Hackrate will mediate in the event of misunderstanding or dispute.

• No legal action will be initiated solely for performing good-faith security testing within approved boundaries.

Safe Harbor does not cover activities that intentionally cause damage, extract or publish sensitive data, or extend beyond the agreed scope.

Reporting through Hackrate

All vulnerabilities must be reported directly through the Hackrate Portal using the Submit Report feature on the appropriate Program Page.

Reports sent through unofficial channels may not receive safe-harbor coverage or reward consideration.

An effective report provides enough technical detail for the Program Sponsor’s security team to reproduce and assess the issue.

Reports should describe where the vulnerability occurs, how it can be triggered, and what security impact it poses. Including screenshots, logs, or a small proof-of-concept greatly improves clarity.

Communication about the report should remain inside Hackrate’s secure discussion thread unless the Program Sponsor explicitly requests another encrypted channel.

Ethical Hackers should remain patient during triage, as validation and remediation can take time depending on complexity and internal approval workflows.

Coordinated disclosure and timing

By default, Hackrate encourages private coordination until 30 days after remediation or another period mutually agreed between Ethical Hacker and Program Sponsor.

Some programs define custom disclosure timelines; those take precedence. If a vulnerability requires longer vendor coordination, Program Sponsors may request extensions, and Ethical Hackers are expected to cooperate reasonably.

Certain vulnerabilities may demand more time than the standard 30-day window to be fully resolved, depending on their complexity or broader technical impact. In such cases, the report should remain private until remediation is complete, allowing the Program Sponsor sufficient opportunity to implement a proper fix. During these extended periods, Hackrate encourages continuous and transparent communication between the Program Sponsor and the Ethical Hacker to maintain trust and coordination throughout the process.

If a period of 180 days passes without the Program Sponsor providing or agreeing to a clear disclosure timeline, the Ethical Hacker may proceed with publicly sharing the vulnerability details. In such exceptional situations, Hackrate supports transparency as it ultimately serves the public interest and collective security.

CVE identifier assignment

When a vulnerability is deemed eligible for a CVE identifier, Hackrate coordinates the CVE assignment process in alignment with the agreed disclosure timeline. CVE IDs are typically requested and reserved after remediation is confirmed or when a clear remediation plan and disclosure date have been established with the Program Sponsor.

If Hackrate is acting as a CVE Numbering Authority (CNA) for the affected product or vendor, Hackrate will assign the CVE identifier directly and manage the full lifecycle of the CVE record, including validation, metadata completion, and publication.

If Hackrate is not the appropriate CNA, it will facilitate coordination with the relevant upstream CNA or MITRE to ensure proper CVE assignment. In all cases, CVE publication is synchronized with public disclosure to avoid premature exposure of unpatched vulnerabilities.

This approach ensures responsible disclosure, accurate vulnerability attribution, and alignment with global vulnerability management standards while balancing vendor readiness and public security interests.