Disclosure enables you to be transparent about the security vulnerabilities found for your program. HackerOne's disclosure process balances transparency with control over what information is shared with the public.
Programs can choose from 3 disclosure settings:
The hacker or your security team can request disclosure for any closed report in your program. If the admin of your program agrees to disclosure, the contents of the report will be made public. Upon requesting disclosure, if the report is neither approved nor denied, reports in the Resolved state will automatically default to disclosure where the contents of the report will be auto-disclosed within 30 days.
Disclosure Requiring Mutual Agreement
The hacker can request disclosure for any closed report in your program. If your program security team agrees to disclosure, the contents of the report will be made public. If the security team doesn't take any action, the contents of the report will remain private.
Disclosure isn't allowed for any report.
Both hackers and program members can request disclosure.
Go to the report you want to disclose.
Make sure the report is closed.
Select Request disclosure in the action picker at the bottom of the report.
Select whether you want to disclose the Full report or a Limited version.
(Optional) Enter a comment to describe your reasons for disclosure.
Upon disclosure, the full contents of the report are visible including the:
Only the summary and timeline of the activity are visible. All comments and attachments are hidden. Limited disclosure allows for greater control over sensitive or extraneous information.
After disclosure has been requested, the admin of the program can choose to publicly disclose the report. They can select Disclose to disclose the report, and they can also change the disclosure options to Full or Limited.
Canceling Disclosure Requests
You can cancel your disclosure request if you later decide to not disclose your report. You can also cancel disclosure requests from hackers asking you for disclosure.
To cancel a disclosure request:
Go to the report that has been requested for disclosure.
Select Cancel disclosure request in the action picker at the bottom of the report.
Enter a comment explaining why you are canceling the disclosure request.
Disclosure for Private Programs
If you’re running a private program, you can enable hackers to disclose a report within your private program. Upon disclosure, the contents of the report will only be visible to participants in your private program. This enables hackers to share their vulnerability findings with other hackers in the program, and can also increase awareness for other hackers as they can better see what vulnerabilities have already been found for your program.
To enable disclosure for private programs:
Go to Settings > Program > Customization > Disclosure.
Select Yes to enable hackers to disclose reports in your private program.
Hackers and other members of your program can request disclosure following the same steps above in the Requesting Disclosure section above.
When choosing to disclose the Full or Limited report, the options will only be specific to disclosing within your private program:
Upon disclosure, the full contents of the report will be visible to participants in your private program.
Only the summary and timeline of activity will be visible to participants in your private program.
This diagram illustrates HackerOne's disclosure process:
Hacker Interactions with Disclosed Reports
After reports have been disclosed, hackers can still add their own report summary in the hacker summary section. Hackers can only edit the hacker summary portion of the report as they won't be able to edit the official program report summary.
Locking reports will prevent hackers from being able to add or edit their hacker summary. If a hacker already provided a summary for the report, you can't remove it from the report.