Disclosure enables programs to be transparent about the security vulnerabilities found in their program. HackerOne's disclosure process balances transparency with control over what information is shared.
Programs can choose from 3 disclosure settings:
You or the security team can request disclosure for any closed report in the program. If the admin of your program agrees to disclosure, the contents of the report will be made public. Upon requesting disclosure, if the report is neither approved or denied, reports in the Resolved state will automatically default to disclosure where the contents of the report will be auto-disclosed within 30 days.
Disclosure Requiring Mutual Agreement
You can request disclosure for any closed report in the program. If the program security team agrees to disclosure, the contents of the report will be made public. If the security team doesn't take any action, the contents of the report will remain private.
Disclosure isn't allowed for any report.
Both you and program members can request disclosure.
Go to the report you want to disclose.
Make sure the report is closed.
Select Request disclosure in the action picker at the bottom of the report.
Select whether you want to disclose the full report or a limited version.
Upon disclosure, the full contents of the report are visible including the:
Note: Internal comments are hidden.
Only the summary and timeline of the activity are visible. All comments and attachments are hidden. Limited disclosure allows for greater control over sensitive or extraneous information.
(Optional) Enter a comment to describe your reasons for disclosure.
After public disclosure has been requested, the admin of the program can choose to publicly disclose the report. They can select Disclose to disclose the report and also change the disclosure options to Full or Limited.
When publishing reports, the security team can choose to disclose the report in full or limit the information published. The default is to display all the communication between the hacker and the security team from the first report to resolution.
Canceling Disclosure Requests
You can cancel your disclosure request if you later decide to not disclose your report. You can also cancel disclosure requests from a program asking you for disclosure.
To cancel a disclosure request:
Go to the report that has been requested for disclosure.
Select Cancel disclosure request in the action picker at the bottom of the report.
Enter a comment explaining why you are canceling the disclosure request.
Disclosure for Private Programs
Private programs can also enable you to disclose a report to other hackers within the program. Upon disclosure, the contents of the report will only be visible to other hackers in the private program. This enables you and other hackers to share your vulnerability findings with other hackers in the program so that they can be aware of what vulnerabilities have been found in that program.
You can request disclosure in the private program you're a part of by following the same steps in the Requesting Disclosure section above.
When requesting to disclose the Full or Limited report, the options will only be specific to disclosing within that specific private program you're participating in:
Upon disclosure, the contents of the report will be visible to other hackers in the private program.
Only the summary and timeline of activity will be visible to other hackers in the private program.