Disclosure enables your program to be transparent about security vulnerabilities found by researchers. HackerOne's disclosure process is designed to balance public transparency with program control over what information is shared - and when.
As security transparency becomes increasingly expected across the industry, programs with the most mature security postures follow Coordinated Vulnerability Disclosure (CVD). CVD defines how your organization approaches coordinated public disclosure. Disclosure settings determine how disclosure requests are processed and published within HackerOne.This guide covers how to configure your program's disclosure settings, declare your CVD stance, and manage disclosure requests from researchers.
Part 1: Coordinated Vulnerability Disclosure (CVD)
Coordinated Vulnerability Disclosure is a structured approach to handling the public release of vulnerability information. It ensures that fixes are in place and that both the program and the researcher are aligned before any details become public. Adhering to CVD also helps programs meet NIST and ISO standards for security transparency.
CVD Compliance Levels
Programs must declare their CVD stance, which is then displayed to security researchers on the program's Security page under Program Highlights. There are three compliance levels:
CVD Level | Details |
Standard | NIST and ISO compliant. The program and the researcher coordinate to discuss and disclose reports once fixed or closed. The program must address reports within a reasonable time, coordinate any disclosure or publication plans with the researcher to avoid surprises, and release publications simultaneously where possible. All publications must redact private information. |
Limited | Similar to Standard, but allows additional conditions to be specified in the program's Overview free-form text section. HackerOne must approve these conditions to keep expectations clear and outcomes predictable. It is not appropriate to arbitrarily gate disclosure on a case-by-case basis. To select the Limited option, contact your Customer Success Manager (CSM). |
Undeclared | The program does not claim compliance with a standard CVD process. Researchers must check the full program page for any specific restrictions. Note: this approach is generally not suitable for VDPs, as it may push disclosure to higher-risk channels such as email or social media. |
CVD and Report Statuses
When disclosure is permitted, it applies to all report statuses. Specific guidance by status:
Duplicate reports: coordinate disclosure timing with the fix for the original report.
Informative reports (no security impact): handle disclosure as if the issue has been resolved.
Private programs: Standard and Limited CVD are both available. In these cases, disclosure occurs on an external platform (such as a blog or academic journal) without mentioning the program's presence on HackerOne.
Note: Some researchers may choose to pursue Coordinated Vulnerability Disclosure despite any restrictions from a program. If they do, they are expected to clearly state their intention at the start of their communication with the program. If the program is a bug bounty, it is no longer required to pay a bounty in such cases. Top-tier programs offer bounties while also supporting CVD.
How to Declare Your Program's CVD Stance
Program managers can configure the CVD stance in program settings or with the assistance of a CSM. The selected option will be displayed to researchers on the program's Security page.
Go to Engagements, click the kebab menu for the relevant program, then click Settings.
Click Customizations, then click Overview.
Find the section Declare Coordinated Vulnerability Disclosure, and choose the option that best fits your program.
A confirmation modal will appear, noting that the choice cannot be changed without contacting your CSM. Confirm and save.
The selected CVD stance will then be visible to researchers under Program Highlights on your Security page at hackerone.com/<program-handle>.
Important: If selecting the Limited CVD option, you must specify additional disclosure conditions in the guidelines text. Contact your CSM to set up Limited CVD with the appropriate conditions.
Part 2: Program Disclosure Settings
In addition to your CVD stance, programs configure a disclosure setting that governs how disclosure requests are processed on the HackerOne platform. There are three available settings:
Setting | Details | Availability |
Disclosure | Researchers or your security team can request disclosure for any closed report. If the program admin approves, the report becomes public. If neither approved nor denied, reports in the Resolved state will automatically default to public disclosure within the industry-aligned transparency default of 30 days. Note: Reports must be in the Resolved state to default to disclosure. Any other state (Informative, Duplicate, Not Applicable) requires mutual agreement. | Default for all verified programs |
Disclosure Requiring Mutual Agreement | Researchers can request disclosure for any closed report. If the program team approves, the report becomes public. If no action is taken, the report remains private. Explicit approval must be received regardless of report status. | Opt-in only - contact your CSM to enable |
Disclosure Disabled | Disclosure is not permitted for any report, regardless of report status. | Only available for private programs |
Part 3: Managing Disclosure Requests
Reviewing a Disclosure Request
Both researchers and program members can initiate disclosure requests. When a request is submitted, your security team will receive a notification. Program admins can review the request and choose to approve or deny it.
When reviewing a request, the admin can also change the disclosure type between Full and Limited before approving.
Disclosure Types: Full vs. Limited
Option | What Is Visible |
Full | The complete report contents are made public, including:
Note: Internal comments are always kept hidden. |
Limited | Only the report summary and activity timeline are visible. All comments and attachments are hidden. This option provides greater control over sensitive or extraneous information. Researchers can still add a hacker summary to the report unless the report has been locked. |
How to Request Disclosure (Program-Initiated)
Program members can initiate a disclosure request for any closed report.
Go to the report you want to disclose.
Confirm the report is closed.
In the action picker at the bottom of the report, select Request disclosure.
Select whether to disclose the Full report or a Limited version.
Enter a comment describing the rationale for disclosure.
Click Post.
After the request is submitted, the program admin can approve disclosure, and may adjust the disclosure type (Full or Limited) before confirming.
Canceling a Disclosure Request
Either party - the program or the researcher - can cancel a disclosure request at any time before it is approved.
Go to the report with the pending disclosure request.
In the action picker at the bottom of the report, select Cancel.
Write a comment explaining why you are canceling the request.
Click Post.
Part 4: Disclosure for Private Programs
If you run a private program, you can enable researchers to disclose reports within the confines of that private program. Upon disclosure, report contents are only visible to participants in the private program β not the general public. This allows researchers to share findings with other program participants and helps increase awareness of what has already been reported.
Enabling Disclosure for Private Programs
Go to your Security page > Customizations > Disclosure.
Select Yes to enable researchers to disclose reports within your private program.
Once enabled, researchers and program members follow the same steps outlined above to request disclosure. The only difference is that the full and limited options are scoped to the private program only:
Option | Visibility |
Full | The full report contents are visible to all participants in the private program. |
Limited | Only the summary and activity timeline are visible to participants in the private program. |
Private programs can also declare Standard or Limited CVD. In these cases, any public disclosure by researchers occurs on an external platform (such as a blog or academic journal) without referencing the program's presence on HackerOne.
Part 5: Researcher Interactions with Disclosed Reports
After a report is disclosed, researchers can still add their own hacker summary to the report. Researchers may only edit the hacker summary section - they cannot modify the official program report summary.
Important: Locking a report prevents researchers from adding or editing their hacker summary. If a researcher has already provided a summary, it cannot be removed from the report. Use the lock feature deliberately - a locked report signals that the report outcome is final.
Additional Resources
For more information, review the HackerOne Disclosure Guidelines. If disclosure was accidentally initiated, or if you have questions or concerns about this process, submit a support request.
Recommended reading:
Requesting Disclosure (Hacker-facing disclosure resource)