Skip to main content

Disclosure Assistance Refresh

  • July 8th , 2016

Ever stumbled upon a vulnerability, but had no idea how to share it with the affected organization? You DM them on Twitter, email their support alias, but aren’t able to get a hold of them? HackerOne can help! We’ve blogged about “Disclosure Assistance” before, but we wanted to talk about it again, as there have been some changes.

Let’s review how Disclosure Assistance works:

  • Hacker finds a vulnerability in XYZ Company
  • Hacker tries to report the vulnerability to XYZ Company, but can’t figure out how, or attempts to contact them have failed
  • Hacker looks up XYZ Company in the HackerOne Directory
  • Hacker clicks on “Disclosure Assistance”
  • NEW! A form pops up where the hacker can provide context around the request to help HackerOne triage it. This form asks the hacker whether they’ve tried to contact the company, what type of vulnerability it is, and the affected domain/IP/URL.

Alt textNEW Disclosure Assistance Context Form

At this point, HackerOne reviews the requests that have come in. Please note that we cannot respond to every Disclosure Assistance request, but we will make our best effort to get you in touch with the affected organization. If you’ve submitted a Disclosure Assistance request in the past and have not received a response, feel free to submit it again with the new context form - this will help us have more information to work with!

A few quick reminders on Disclosure Assistance:

  • HackerOne cannot and does not condone hacking on any organization without their permission.
  • HackerOne does not ask hackers for specific vulnerability details, we only try to connect friendly hackers with the affected organizations to facilitate a discussion to ensure the issue can be responsibly disclosed. As such, HackerOne can’t always verify the legitimacy of the vulnerability, and we’ll tend to prioritize requests from hackers with higher signal.
  • HackerOne cannot guarantee success - we will try our best to make a connection between the hacker and the affected organization, but it’s important to keep the EFF’s Vulnerability Reporting FAQ in mind throughout this process.

That’s it! Please see our original blog post on Disclosure Assistance for more info.

Adam Bacchus

Recent articles

Bug Bounty Field Manual: The Definitive Guide for Planning, Launching, and Operating a Successful Bug Bounty Program

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…