Help Center

How does public disclosure work?

Our public disclosure process is designed to balance transparency while giving security teams and hackers control and a way to communicate jointly. Here is how it works from the perspective of a security team:


When publishing reports on HackerOne, the security team can choose to disclose the report in full or limit the information published. The default is to display all the communications between the hacker and the security team from first report to resolution. There are two ways a security teams can limit the information shared: redacting sensitive information or limiting visibility to a summary written by the security team along with a partial timeline. Here's an outstanding example of a summarized disclosure from the Shopify security team:

These visibility settings can be found in HackerOne under Reports > Request public disclosure, or under report information in the top-right section.

 For more information, please read the full HackerOne Disclosure Guidelines.  There is a lengthier blog post on Public Disclosure as well.  If disclosure was accidentally initiated or you have concerns about this process, please submit a support request.


Have more questions? Submit a request
Powered by Zendesk