Home/Legal/Responsible Disclosure
Security Research

Responsible
Disclosure Policy

We believe in the security research community. If you discover a vulnerability in our infrastructure or services, we want to know — and we commit to working with you transparently and fairly.

SAFE HARBOR
Security research conducted in accordance with this policy is authorised. HEXSTRIKE will not pursue civil or criminal action against researchers who comply with this policy. We will not refer compliant researchers to law enforcement.
// How to Report

Submission process

01

Prepare your report

Document the vulnerability with sufficient detail — steps to reproduce, impact assessment, affected assets, and any PoC (non-destructive). Screenshots and HTTP logs are helpful.

02

Submit securely

Email your report to security@hexstrike.io. For sensitive findings, use our PGP public key to encrypt the report before sending. PGP key fingerprint is available on our security.txt file.

03

Receive acknowledgement

We will acknowledge receipt within 2 business days and provide an initial severity assessment within 5 business days.

04

Remediation & disclosure

We will work to remediate valid findings within 90 days. We'll keep you updated on progress and coordinate public disclosure timing with you.

// Response Timelines

Our commitments

📧

Initial acknowledgement

Within 2 business days of receiving your report.

🔍

Severity assessment

Within 5 business days — including CVSS score and initial validity determination.

🔧

Critical remediation

Within 14 days for critical severity findings.

Full remediation

Within 90 days for all valid findings.

CONTACT
Email: security@hexstrike.io
PGP: Available at /.well-known/security.txt
Response: 2 business days
// Scope

What is in and out of scope

Asset / Behaviour Status Notes
hexstrike.io web applicationIN SCOPEProduction web app including forms and API
*.hexstrike.io subdomainsIN SCOPEAll first-party subdomains
Authentication & session managementIN SCOPELogin, password reset, MFA
API endpointsIN SCOPEAll publicly accessible API endpoints
Email infrastructurePARTIALSPF/DKIM/DMARC only — no phishing attempts
Automated scanning / fuzzingOUT OF SCOPECauses disruption to other users
Denial of Service attacksOUT OF SCOPEStrictly prohibited
Social engineering staffOUT OF SCOPEStrictly prohibited
Physical security testingOUT OF SCOPERequires explicit pre-authorisation
Third-party services (AWS, Cloudflare)OUT OF SCOPEReport directly to those vendors
Client data accessed during researchOUT OF SCOPEStop immediately and report — do not exfiltrate
// Researcher Guidelines

What we ask of you

Test only against your own accounts or test accounts you create
Stop testing immediately upon discovering any user data
Do not exploit vulnerabilities beyond what's needed to confirm them
Do not modify or delete data that doesn't belong to you
Do not perform Denial of Service or resource exhaustion testing
Provide reasonable time (90 days) for remediation before public disclosure
Do not publicly disclose before we coordinate together
// Recognition

Hall of Fame

We publicly acknowledge researchers who disclose valid vulnerabilities in good faith. Recognition includes listing on our Hall of Fame and, for critical findings, a personal thank-you letter from our security team.

BOUNTIES
We do not currently operate a paid bug bounty programme. We express our gratitude through public recognition and direct acknowledgement. This may change in the future.
// Found Something?

Report responsibly.
We'll respond quickly.

Email security@hexstrike.io — PGP encryption available and encouraged for sensitive reports.

Report a VulnerabilityGeneral Contact