Security

Responsible Disclosure

Help us keep Hacker Bot secure

Our Commitment

At Hacker Bot, security is at the core of everything we do. We build tools to help developers find and fix vulnerabilities—so we take vulnerabilities in our own platform seriously. We appreciate the security research community and welcome responsible disclosure of any security issues you discover.

How to Report

Send your vulnerability report to:

security@hacker-bot.com

For sensitive reports, you may encrypt your message using our PGP key (available on request).

What to Include

Please provide as much detail as possible to help us understand and reproduce the issue:

  • Description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Proof of concept (screenshots, videos, or code)
  • Affected URLs, endpoints, or components
  • Your recommended remediation (if any)
  • Your contact information for follow-up

Scope

The following are in scope for our responsible disclosure program:

In Scope

  • hacker-bot.com and all subdomains
  • Hacker Bot API endpoints
  • Authentication and authorization flaws
  • Injection vulnerabilities (SQL, XSS, Command, etc.)
  • Server-side request forgery (SSRF)
  • Sensitive data exposure
  • Business logic vulnerabilities
  • Privilege escalation

Out of Scope

  • Denial of service (DoS/DDoS) attacks
  • Social engineering or phishing attacks on our staff
  • Physical security issues
  • Third-party services and applications
  • Vulnerabilities in outdated browsers or plugins
  • Self-XSS and issues requiring unlikely user interaction
  • Missing security headers without demonstrated impact
  • SPF/DKIM/DMARC configuration issues

Our Commitment to Researchers

When you report responsibly, we commit to:

  • Acknowledge your report within 48 hours
  • Provide updates on our progress at least weekly
  • Not pursue legal action against researchers acting in good faith
  • Work with you to understand and resolve the issue
  • Credit you (if desired) when we publish fixes
  • Notify you when the vulnerability has been resolved

Researcher Guidelines

To ensure safe and effective research, please:

  • Do not access, modify, or delete data belonging to other users
  • Do not perform actions that could impact service availability
  • Do not publicly disclose vulnerabilities before they are fixed
  • Only test using accounts you own or have permission to use
  • Stop testing and report immediately if you access sensitive data
  • Make a good faith effort to avoid privacy violations

Response Timeline

Stage Timeline
Initial acknowledgment Within 48 hours
Severity assessment Within 5 business days
Remediation plan Within 10 business days
Fix deployment (critical) Within 7 days
Fix deployment (high) Within 30 days
Fix deployment (medium/low) Within 90 days

Recognition

We believe in recognizing researchers who help improve our security. With your permission, we'll add your name to our Security Hall of Fame. While we don't currently offer a paid bug bounty program, we may provide recognition, swag, or other tokens of appreciation for significant findings.

Legal Safe Harbor

If you conduct security research in accordance with this policy, we consider your research to be authorized and we will not initiate legal action against you. We will work with you to understand and resolve the issue quickly, and we will not take legal action against you for circumventing security measures when done in good faith under this policy.

Contact

For security vulnerability reports: security@hacker-bot.com

For questions about this policy: legal@hacker-bot.com