Public disclosure enables you to be transparent about the security vulnerabilities found for your program. HackerOne's public disclosure process balances transparency with control over what information is shared with the public.
Programs can choose from 3 disclosure settings:
|Disclosure by Default||The hacker or your security team can request public disclosure for any closed report in your program. If the admin of your program agrees to disclosure, the contents of the report will be made public within 30 days.
This is the default setting for all verified programs .
|Disclosure requiring Mutual Agreement||The hacker can request public disclosure for any closed report in your program. If your program security team agrees to disclosure, the contents of the report will be made public. If the security team doesn't take any action, the contents of the report will remain private.
You must request to opt-in to this option.
|Disclosure Disabled||Public disclosure isn't allowed for any report.|
Requesting Public Disclosure
Both hackers and program members can request public disclosure. To request public disclosure:
Go to the report you want to publicly disclose.
Make sure the report is closed.
Select Request public disclosure in the action picker at the bottom of the report.
Select whether you want to disclose the Full report or Limited.
|Full||Upon public disclosure, the full contents of the report are visible including:
Note: Internal comments are hidden.
|Limited||Only the summary and timeline of the activity are visible. All comments and attachments are hidden. Limited disclosure allows for greater control over sensitive or extraneous information.|
- (Optional) Enter a comment to describe your reasons for public disclosure.
- Click Post.
After public disclosure has been requested, the admin of the of the program can choose to publicly disclose the report. They can select Disclose publicly to disclose the report.
Limiting Public Report Information
When publishing reports, the security team can choose to disclose the report in full or limit the information published. The default is to display all the communication between the hacker and the security team from first report to resolution. There are 2 times the security team can choose to limit information published in a report:
- At the time they disclose the report
- After the report has been made public
There are 2 ways a security team can limit the information shared:
Here's a good example of a summarized disclosure from the Shopify security team: https://hackerone.com/reports/64164.
This diagram illustrates HackerOne's public disclosure process:
For more information, please read the full HackerOne Disclosure Guidelines. There is a lengthier blog post on Public Disclosure as well. If disclosure was accidentally initiated or you have concerns about this process, please submit a support request.