When a vulnerability is found, it needs to get into the right hands quickly to ensure it'll be resolved safely without public harm. Organizations typically publish a vulnerability disclosure policy with guidance on how they want to receive information related to potential vulnerabilities in their products or online services (see ISO 29147). Some organizations, however, don't have well-defined methods of receiving vulnerability reports from external finders.
In the absence of a vulnerability disclosure policy, attempts to report security vulnerabilities often carry considerable legal risk for the hacker, causing many to simply withhold vulnerable information or publish anonymously. In these cases, it's impossible to achieve an optimal outcome that ensures security vulnerabilities are safely resolved, and it causes the internet to be less safe than it could be.
HackerOne provides Disclosure Assistance to help friendly hackers be able to disclose vulnerabilities to any organization and to help create better security for the internet.
What is Disclosure Assistance?
When hackers discover a vulnerability and the organization doesn't have a vulnerability disclosure policy, with Disclosure Assistance, HackerOne will work with friendly hackers on a best effort basis to:
- verify the legitimacy of a vulnerability.
- reach out to and verify the identity of an individual at the affected organization.
- share the vulnerability with the organization so it can be resolved.
A hacker should request Disclosure Assistance after following these steps:
- They find a vulnerability.
- They search the HackerOne Directory for a published security contact method and attempt alternative means of contact.
- They exhaust their options in their attempts to contact the organization.
How Does it Work?
To request Disclosure Assistance:
- Go to https://hackerone.com/disclosure-assistance.
- Click Request Disclosure Assistance.
- Fill out the report form.
- Click Submit Report.
- The HackerOne Disclosure Assistance team receives the vulnerability information and verifies the legitimacy of the bus and determines the potential impact.
- HackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information.
- Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerabiltiy information has been successfully shared with the affected organization.
The point of contact can either:
- Create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability.
- Contact email@example.com for assistance on how to proceed.
At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.
Note: As Disclosure Assistance is a best effort service, HackerOne prioritizes which bugs to assist with based on impact and may be unable to assist with low impact bugs. Please be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ and encourage you to perform other contact attempts in parallel to our effort.
Questions specific to a particular report should be asked on the report itself. If you need support or have questions on the Disclosure Assistance process, please contact firstname.lastname@example.org.