Disclosure allows programs to maintain transparency about security vulnerabilities identified within their programs. HackerOne's disclosure process is designed to balance public transparency with program control over what information is shared - and when. As security transparency becomes increasingly expected across the industry, programs with the most mature security postures follow Coordinated Vulnerability Disclosure (CVD).
Part 1: Ethical Considerations
Good Faith Disclosure Practices
Good faith disclosure practices protect both researchers and programs β they preserve trust, ensure vulnerabilities are handled responsibly, and uphold the credibility of the security community as a whole. Good faith disclosure practices on HackerOne include:
Obtaining explicit approval from the program team before any vulnerability details are made public. This applies to all closure statuses (including Informative, Duplicate, and Not Applicable).
Ensuring you understand program preferences before embarking on disclosure conversations.
Respecting program timelines and not disclosing prematurely, even if a fix has been implemented.
Following the formal Disclosure Request process (below), rather than communicating disclosure intent outside of HackerOne's platform or through other means.
Escalating delayed Disclosure Requests through proper channels (HackerOne Support) rather than disclosing without following defined processes.
Maintaining professionalism in any public write-ups - disclosures should educate the security community, not damage a program's reputation or sensationalize a finding. Share only what is necessary - disclosure should inform, not cause damage or shame.
Never using disclosure as leverage - threatening to disclose in order to pressure a bounty award or payout increase is a violation of the HackerOne Code of Conduct and may result in enforcement action, not limited to permanent platform removal.
Following good faith disclosure practices protects both the hacker community and the programs they support, fostering trust and accountability across the ecosystem.
Approval Requirements
Disclosure Requests require formal approval from the program team before a hacker may proceed with any disclosure (regardless of report status, including Information & Not Applicable). Approval must be explicitly granted on the report - a non-response or rejection from the program team does not constitute approval.
β οΈ Disclosing a report or indicating intent to do so without program notification and formal approval via the above process is a violation of the HackerOne Code of Conduct and may result in enforcement action. Always follow the established Disclosure Request process detailed below.
Part 2: Procedural Guidance
Coordinated Vulnerability Disclosure (CVD) Compliance Levels
HackerOne uses a structured CVD compliance framework. Programs declare their stance, which is displayed on their Security page under Program Highlights. There are three compliance levels:
CVD Type | Details |
Standard | NIST and ISO compliant. The program and hacker coordinate to discuss and disclose reports once fixed or closed via the Request Disclosure process detailed below. The program must address reports within a reasonable time, coordinate any disclosure or publication plans with the hacker to avoid surprises, and release publications simultaneously where possible. All publications must redact private information. |
Limited | Similar to Standard but with additional conditions specified in the program's Overview section. HackerOne must approve these conditions to keep expectations clear and outcomes predictable. It is not appropriate to arbitrarily gate disclosure on a case-by-case basis. |
Undeclared | The program does not claim compliance with a standard CVD process. Hackers should check the full program page for any specific restrictions and consider each program's more granular disclosure settings (either: Disclosure, Disclosure Requiring Mutual Agreement, or Disclosure Disabled). If unsure of program preferences for disclosure, reach out to Support. |
Where to Find a Program's Disclosure Preferences
Navigate to the program's Security page - the program's CVD stance and disclosure settings are displayed under Program Highlights. You can also find additional disclosure conditions in the program's guidelines on their Security page.
Finding Programs That Offer Disclosure
Navigate to the HackerOne Directory at hackerone.com/directory/programs. For programs open to Coordinated Vulnerability Disclosure, you will see a CVD declaration under Program Highlights on their program page.
Additional tips for identifying disclosure-friendly programs:
Browse Hacktivity - programs with publicly disclosed reports are usually open to disclosure.
Look for programs with a Standard CVD declaration on their Security page.
HackerOne-managed programs tend to be more responsive and disclosure-friendly.
Additional Program Disclosure Settings
In addition to the CVD stance, programs configure one of three disclosure settings:
Setting | Details |
Disclosure | A hacker can request disclosure for any closed report. If the program admin formally approves it, the report becomes public. If neither approved nor denied, reports in the Resolved state will automatically default to disclosure within 30 days. This is the default setting for all verified programs. Note: Reports must be in the Resolved state to default to disclosure - any other state (including Informative, Duplicate, and Not Applicable) requires mutual agreement. |
Disclosure Requiring Mutual Agreement | A hacker can request disclosure for any closed report. If the program team formally approves it, the report becomes public. If no action is taken, the report remains private. Note: Explicit approval from the customer must be received regardless of report status (including Informative, Duplicate, and Not Applicable). |
Disclosure Disabled | Disclosure is not permitted for any report - regardless of report status (including Informative, Duplicate, and Not Applicable). |
Requesting Disclosure
Both hackers and program members can request disclosure.
Go to the report you want to disclose.
Make sure the report is closed.
Select Request disclosure in the action picker at the bottom of the report.
Select whether you want to disclose the Full report or a Limited version.
(Optional) Enter a comment describing your reasons for disclosure.
Click Post.
Disclosure Options:
Option | Details |
Full | The full contents of the report are made visible, including vulnerability information, summary, and timeline (comments and attachments). |
Limited | Only the summary and activity timeline are visible. All comments and attachments are hidden. This allows greater control over sensitive or extraneous information. Hackers can still add a hacker summary unless the report is locked. |
Note: A locked report is one where no further comments can be added. Reports are locked at the discretion of the customer or HackerOne, and typically signal that the report outcome is final. If you have concerns about the report at the time it is locked, please submit a Hacker Mediation request.
After a disclosure request has been made, the program team can choose to publicly disclose the report and may also change the disclosure option between Full and Limited.
If a disclosure request you have submitted has been pending for more than 30 days without an update, escalate to HackerOne Support for assistance.
Canceling Disclosure Requests
You can cancel a disclosure request if you later decide not to disclose your report. Program members can also cancel disclosure requests submitted by hackers.
To cancel a disclosure request:
Go to the report that has been requested for disclosure.
Select Cancel disclosure request in the action picker at the bottom of the report.
βEnter a comment explaining why you are canceling the request.
Click Post.
Disclosure for Private Programs
Certain private programs allow hackers to disclose a report within the private program. Upon disclosure, the report contents are only visible to participants in that private program. This enables hackers to share vulnerability findings with fellow program participants and helps others identify what has already been reported.
Private programs can also choose Standard or Limited CVD. In these cases, disclosure happens on an external platform (such as a blog or academic journal) without mentioning the program's presence on HackerOne.
The process follows the same steps outlined above. The only difference is that Full and Limited disclosure options are scoped to the private program only:
Option | Details |
Full | The full contents of the report will be visible to participants in the private program. |
Limited | Only the summary and activity timeline will be visible to participants in the private program. |
For more information, please read the full HackerOne Disclosure Guidelines. If disclosure was accidentally initiated, or you have questions or concerns about this process, please submit a support request.