What is Disclosure Assistance?
When a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, HackerOne introduced the Directory to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.
Some organizations do not have well-defined methods of receiving vulnerability reports from external finders. In these situations, HackerOne will work with friendly hackers on a best effort basis to verify the legitimacy of a vulnerability, reach out to and verify the identity of an individual at the affected organization, then share the vulnerability with the organization so it can be resolved.
Why does HackerOne offer Disclosure Assistance?
It's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.
In the physical world, "If you see something, say something." is a core tenet of any safe community. The same should be true online, yet far too often good samaritans are pressured to "say nothing." Encouraging strong relationships with organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce risk for the individual and help close this crucial gap.
How does it work, exactly?
- A friendly hacker finds a vulnerability.
- They search the HackerOne Directory for a published security contact method and attempt alternative means of contact.
- If the hacker has exhausted their options in their attempts to contact the organization, they can request Disclosure Assistance.
At this point, the hacker provides information on their attempts to reach the affected organization along with the relevant vulnerability information. This vulnerability information is received by the HackerOne Disclosure Assistance team, who verifies the legitimacy of the bug, as well as determines the potential impact.
As Disclosure Assistance is a best effort service, HackerOne prioritizes which bugs to assist with based on impact and may be unable to assist with low impact bugs. Please be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ and encourage you to perform other contact attempts in parallel to our effort.
HackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information. Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerability information has been successfully shared with the affected organization.
If they’d like, the point of contact can create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability. Alternatively, the point of contact can contact firstname.lastname@example.org for assistance on how to proceed. At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.
Questions specific to a particular report should be asked on the report itself. If you need support or have questions on the Disclosure Assistance process, please contact email@example.com.