Help Center

How do I lock a closed report?

While open and transparent communication is key to running a successful vulnerability coordination program, there are legitimate cases where ending further discussion on a report is reasonable. This action is equivalent to archiving threads in a forum. Here are some valid reasons for locking a report:

Team has finalized a decision

If the team has finalized their decision on a report and has explained, in detail, how they came to this decision, continued refusal to acknowledge this decision is poor etiquette on the reporter's part and provides little extra value. The team's policy should ideally encompass everything they do and don't care about, but as a living document new scopes and exclusions may come up. Locking a report is a good interim solution in this case, and the reporter still has the option to seek mediation from HackerOne if necessary.

Report is publicly disclosed

If a report has been publicly disclosed, continued discussion on the report may lead to accidental disclosure of private information. For instance, if the reporter finds the fix to be inadequate afterwards and discusses it on the report, the details of the unpatched vulnerability will be exposed to the entire Internet. The recommended path of action would be to file a new report with the new findings. Locking a report to disable further commenting on the disclosed report would have effectively prevented the accidental disclosure.

How to lock a report

As a team member with report management permissions, the "Lock report" action will be available for any Closed reports, provided the action has not already been applied on the report. Simply select the action, enter an accompanying comment if desired, and click the button to complete the action.

An activity will be appended to the timeline that is visible to all participants on the report. In-app, e-mail and Slack notifications will also be sent accordingly, based on your program and per-user configurations.

At this point, the reporter can no longer comment on the report, but will still be able to request or agree to public disclosure (if not done already) or request mediation. Team members will still be able to comment both publicly and privately on the report.

Have more questions? Submit a request
Powered by Zendesk