[{"id":3738689,"new_policy":"Organizations without a public Vulnerability Disclosure Program ([VDP](https://www.hackerone.com/product/response-vulnerability-disclosure-program)), Bug Bounty Program ([BBP](https://www.hackerone.com/product/bug-bounty-platform)), or Direct Vulnerability Submission/Disclosure Process are encouraged to [sign up for an Essential VDP](https://hackerone.com/vdp-sign-up). \n\nHackerOne Essential VDP, a free Vulnerability Disclosure Program, helps you easily navigate the compliance-driven landscape. Acting as a digital neighborhood watch, it provides clear guidelines and a direct channel for external entities to report vulnerabilities.  \n\n_________________\n# \n\n# What is Disclosure Assistance?\n\nThe objective of Disclosure Assistance is to help researchers report highly-impactful bugs affecting larger organizations that do not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process. Disclosure Assistance is a best-faith effort program offered by HackerOne.\n\nWhen a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, HackerOne introduced the [Directory](https://hackerone.com/directory) to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.\n\nSome organizations do not have well-defined methods of receiving vulnerability reports from external finders. In these situations, HackerOne will work with friendly hackers on a best-effort basis to\n* Verify the legitimacy of a vulnerability that meets or exceeds the Disclosure Assistance impact threshold.\n* Identify an appropriate contact at the affected organization.\n* Attempt to contact them directly.\n    * If successful, share the vulnerability with the organization so it can be resolved.\n\n# `Submitting to this program comes with no guarantee of action`\n\n### HackerOne will attempt contact with the impacted party for bugs that meet the following criteria:\n* Critical impact to an affected company/organization that does not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process.\n* Large userbase or societal impact (e.g., a large organization with a significant volume of user data exposure)\n* Examples of Critical Impact Bugs:\n    * SQLi\n    * RCE\n    * Information Disclosure of bulk PII (Personal Identifiable Information) data\n\n# Why does HackerOne offer Disclosure Assistance?\nIt's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.\n\nIn the physical world, \"If you see something, say something.\" is a core tenet of any safe community. The same should be true online, yet far too often, good samaritans are pressured to \"say nothing.\" Encouraging strong relationships between organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce the risk for the individual and help close this crucial gap.\n\nHow does it work, exactly?\n* A friendly hacker finds a vulnerability.\n* They search the HackerOne [Directory](https://hackerone.com/directory) for a published security contact method.\n* Attempt alternative means of contact:\n    * Check the company website for a security submission form.\n    * Use a search engine and search for how to submit a vulnerability to the company. Examples:\n        * “\u003ccompany name\u003e bug bounty program”\n        * “\u003ccompany name\u003e vulnerability disclosure program”\n        * “\u003ccompany name\u003e report vulnerability”\n        * “\u003ccompany name\u003e report security issue”\n        * etc. \n    * Contact a relevant security or technical representative of the company directly on LinkedIn\n* If the hacker has exhausted their options in their attempts to contact the organization, they can [request Disclosure Assistance](https://hackerone.com/disclosure-assistance/disclosure_assistance_requests/new).\n\n# Report Submissions\n* As part of their report submission, the hacker is required to provide information on their attempts to reach the affected organization along with the relevant vulnerability information.\n* HackerOne will review the report and determine if it meets the minimum criteria for Disclosure Assistance.\n    * Valid reports that meet the minimum criteria will be moved into triaged status.\n    * Invalid reports or reports that DO NOT meet the minimum criteria will be closed accordingly.\n* For triaged reports, HackerOne will attempt contact multiple times over 30 days.\n    * HackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information. Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerability information has been successfully shared with the affected organization.\n    * If they’d like, the point of contact can create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability. Alternatively, the point of contact can contact da@hackerone.com for assistance on how to proceed. At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.\n* If no response or acknowledgment is received within 30 days, the report will be closed as informative.\n* As HackerOne has no control over the remediation of triaged Disclosure Assistance reports, HackerOne is unable to resolve reported bugs. These reports will be closed as informative unless the company contact directly confirms within the report itself that the bug can be closed as resolved.\n* HackerOne’s Mediation team does not act on mediation requests for Disclosure Assistance reports. If you have concerns about a Disclosure Assistance report, please comment within your report or contact da@hackerone.com. \n\n\nPlease be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's [Vulnerability Reporting FAQ](https://www.eff.org/issues/coders/vulnerability-reporting-faq) and encourage you to perform other contact attempts in parallel to our effort.\n\n# Questions?\nQuestions specific to a particular report should be asked within the report itself. If you need support or have questions on the Disclosure Assistance process, please contact \tdisclosure-assistance@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-09-12T17:12:57.259Z"},{"id":3699662,"new_policy":"# What is Disclosure Assistance?\n\nThe objective of Disclosure Assistance is to help researchers report highly-impactful bugs affecting larger organizations that do not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process. Disclosure Assistance is a best-faith effort program offered by HackerOne.\n\nWhen a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, HackerOne introduced the [Directory](https://hackerone.com/directory) to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.\n\nSome organizations do not have well-defined methods of receiving vulnerability reports from external finders. In these situations, HackerOne will work with friendly hackers on a best-effort basis to\n* Verify the legitimacy of a vulnerability that meets or exceeds the Disclosure Assistance impact threshold.\n* Identify an appropriate contact at the affected organization.\n* Attempt to contact them directly.\n    * If successful, share the vulnerability with the organization so it can be resolved.\n\n# `Submitting to this program comes with no guarantee of action`\n\n### HackerOne will attempt contact with the impacted party for bugs that meet the following criteria:\n* Critical impact to an affected company/organization that does not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process.\n* Large userbase or societal impact (e.g., a large organization with a significant volume of user data exposure)\n* Examples of Critical Impact Bugs:\n    * SQLi\n    * RCE\n    * Information Disclosure of bulk PII (Personal Identifiable Information) data\n\n# Why does HackerOne offer Disclosure Assistance?\nIt's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.\n\nIn the physical world, \"If you see something, say something.\" is a core tenet of any safe community. The same should be true online, yet far too often, good samaritans are pressured to \"say nothing.\" Encouraging strong relationships between organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce the risk for the individual and help close this crucial gap.\n\nHow does it work, exactly?\n* A friendly hacker finds a vulnerability.\n* They search the HackerOne [Directory](https://hackerone.com/directory) for a published security contact method.\n* Attempt alternative means of contact:\n    * Check the company website for a security submission form.\n    * Use a search engine and search for how to submit a vulnerability to the company. Examples:\n        * “\u003ccompany name\u003e bug bounty program”\n        * “\u003ccompany name\u003e vulnerability disclosure program”\n        * “\u003ccompany name\u003e report vulnerability”\n        * “\u003ccompany name\u003e report security issue”\n        * etc. \n    * Contact a relevant security or technical representative of the company directly on LinkedIn\n* If the hacker has exhausted their options in their attempts to contact the organization, they can [request Disclosure Assistance](https://hackerone.com/disclosure-assistance/disclosure_assistance_requests/new).\n\n# Report Submissions\n* As part of their report submission, the hacker is required to provide information on their attempts to reach the affected organization along with the relevant vulnerability information.\n* HackerOne will review the report and determine if it meets the minimum criteria for Disclosure Assistance.\n    * Valid reports that meet the minimum criteria will be moved into triaged status.\n    * Invalid reports or reports that DO NOT meet the minimum criteria will be closed accordingly.\n* For triaged reports, HackerOne will attempt contact multiple times over 30 days.\n    * HackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information. Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerability information has been successfully shared with the affected organization.\n    * If they’d like, the point of contact can create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability. Alternatively, the point of contact can contact da@hackerone.com for assistance on how to proceed. At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.\n* If no response or acknowledgment is received within 30 days, the report will be closed as informative.\n* As HackerOne has no control over the remediation of triaged Disclosure Assistance reports, HackerOne is unable to resolve reported bugs. These reports will be closed as informative unless the company contact directly confirms within the report itself that the bug can be closed as resolved.\n* HackerOne’s Mediation team does not act on mediation requests for Disclosure Assistance reports. If you have concerns about a Disclosure Assistance report, please comment within your report or contact da@hackerone.com. \n\n\nPlease be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's [Vulnerability Reporting FAQ](https://www.eff.org/issues/coders/vulnerability-reporting-faq) and encourage you to perform other contact attempts in parallel to our effort.\n\n# Questions?\nQuestions specific to a particular report should be asked within the report itself. If you need support or have questions on the Disclosure Assistance process, please contact \tdisclosure-assistance@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-08-08T22:41:34.573Z"},{"id":3681691,"new_policy":"# What is Disclosure Assistance?\n\nThe objective of Disclosure Assistance is to help researchers report highly-impactful bugs affecting larger organizations that do not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process. Disclosure Assistance is a best-faith effort program offered by HackerOne.\n\nWhen a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, HackerOne introduced the [Directory](https://hackerone.com/directory) to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.\n\nSome organizations do not have well-defined methods of receiving vulnerability reports from external finders. In these situations, HackerOne will work with friendly hackers on a best-effort basis to\n* Verify the legitimacy of a vulnerability that meets or exceeds the Disclosure Assistance impact threshold.\n* Identify an appropriate contact at the affected organization.\n* Attempt to contact them directly.\n    * If successful, share the vulnerability with the organization so it can be resolved.\n\n# `Submitting to this program comes with no guarantee of action`\n\n### HackerOne will attempt contact with the impacted party for bugs that meet the following criteria:\n* Critical impact to an affected company/organization that does not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process.\n* Large userbase or societal impact (e.g., a large organization with a significant volume of user data exposure)\n* Examples of Critical Impact Bugs:\n    * SQLi\n    * RCE\n    * Information Disclosure of bulk PII (Personal Identifiable Information) data\n\n# Why does HackerOne offer Disclosure Assistance?\nIt's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.\n\nIn the physical world, \"If you see something, say something.\" is a core tenet of any safe community. The same should be true online, yet far too often, good samaritans are pressured to \"say nothing.\" Encouraging strong relationships between organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce the risk for the individual and help close this crucial gap.\n\nHow does it work, exactly?\n* A friendly hacker finds a vulnerability.\n* They search the HackerOne [Directory](https://hackerone.com/directory) for a published security contact method.\n* Attempt alternative means of contact:\n    * Check the company website for a security submission form.\n    * Use a search engine and search for how to submit a vulnerability to the company. Examples:\n        * “\u003ccompany name\u003e bug bounty program”\n        * “\u003ccompany name\u003e vulnerability disclosure program”\n        * “\u003ccompany name\u003e report vulnerability”\n        * “\u003ccompany name\u003e report security issue”\n        * etc. \n    * Contact a relevant security or technical representative of the company directly on LinkedIn\n* If the hacker has exhausted their options in their attempts to contact the organization, they can [request Disclosure Assistance](https://hackerone.com/disclosure-assistance/disclosure_assistance_requests/new).\n\n# Report Submissions\n* As part of their report submission, the hacker is required to provide information on their attempts to reach the affected organization along with the relevant vulnerability information.\n* HackerOne will review the report and determine if it meets the minimum criteria for Disclosure Assistance.\n    * Valid reports that meet the minimum criteria will be moved into triaged status.\n    * Invalid reports or reports that DO NOT meet the minimum criteria will be closed accordingly.\n* For triaged reports, HackerOne will attempt contact multiple times over 30 days.\n    * HackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information. Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerability information has been successfully shared with the affected organization.\n    * If they’d like, the point of contact can create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability. Alternatively, the point of contact can contact da@hackerone.com for assistance on how to proceed. At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.\n* If no response or acknowledgment is received within 30 days, the report will be closed as informative.\n* As HackerOne has no control over the remediation of triaged Disclosure Assistance reports, HackerOne is unable to resolve reported bugs. These reports will be closed as informative unless the company contact directly confirms within the report itself that the bug can be closed as resolved.\n* HackerOne’s Mediation team does not act on mediation requests for Disclosure Assistance reports. If you have concerns about a Disclosure Assistance report, please comment within your report or contact da@hackerone.com. \n\n\nPlease be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's [Vulnerability Reporting FAQ](https://www.eff.org/issues/coders/vulnerability-reporting-faq) and encourage you to perform other contact attempts in parallel to our effort.\n\n# Questions?\nQuestions specific to a particular report should be asked within the report itself. If you need support or have questions on the Disclosure Assistance process, please contact da@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-05T16:29:20.210Z"},{"id":3681690,"new_policy":"# What is Disclosure Assistance?\n\nThe objective of Disclosure Assistance is to help researchers report highly-impactful bugs affecting larger organizations that do not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process. Disclosure Assistance is a best-faith effort program offered by HackerOne.\n\nWhen a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, HackerOne introduced the [Directory](https://hackerone.com/directory) to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.\n\nSome organizations do not have well-defined methods of receiving vulnerability reports from external finders. In these situations, HackerOne will work with friendly hackers on a best-effort basis to\n* Verify the legitimacy of a vulnerability that meets or exceeds the Disclosure Assistance impact threshold.\n* Identify an appropriate contact at the affected organization.\n* Attempt to contact them directly.\n    * If successful, share the vulnerability with the organization so it can be resolved.\n\n# `Submitting to this program comes with no guarantee of action`\n\n### HackerOne will attempt contact with the impacted party for bugs that meet the following criteria:\n* Critical impact to an affected company/organization that does not have a public Vulnerability Disclosure Program, Bug Bounty Program, or Direct Vulnerability Submission/Disclosure Process.\n* Large userbase or societal impact (e.g., a large organization with a significant volume of user data exposure)\n* Examples of Critical Impact Bugs:\n    * SQLi\n    * RCE\n    * Information Disclosure of bulk PII (Personal Identifiable Information) data\n\n# Why does HackerOne offer Disclosure Assistance?\nIt's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.\n\nIn the physical world, \"If you see something, say something.\" is a core tenet of any safe community. The same should be true online, yet far too often, good samaritans are pressured to \"say nothing.\" Encouraging strong relationships between organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce the risk for the individual and help close this crucial gap.\n\nHow does it work, exactly?\n* A friendly hacker finds a vulnerability.\n* They search the HackerOne [Directory](https://hackerone.com/directory) for a published security contact method.\n* Attempt alternative means of contact:\n    * Check the company website for a security submission form.\n    * Use a search engine and search for how to submit a vulnerability to the company. Examples:\n        * “\u003ccompany name\u003e bug bounty program”\n        * “\u003ccompany name\u003e vulnerability disclosure program”\n        * “\u003ccompany name\u003e report vulnerability”\n        * “\u003ccompany name\u003e report security issue”\n        * etc. \n    * Contact a relevant security or technical representative of the company directly on LinkedIn\n* If the hacker has exhausted their options in their attempts to contact the organization, they can request Disclosure Assistance.\n\n# Report Submissions\n* As part of their report submission, the hacker is required to provide information on their attempts to reach the affected organization along with the relevant vulnerability information.\n* HackerOne will review the report and determine if it meets the minimum criteria for Disclosure Assistance.\n    * Valid reports that meet the minimum criteria will be moved into triaged status.\n    * Invalid reports or reports that DO NOT meet the minimum criteria will be closed accordingly.\n* For triaged reports, HackerOne will attempt contact multiple times over 30 days.\n    * HackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information. Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerability information has been successfully shared with the affected organization.\n    * If they’d like, the point of contact can create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability. Alternatively, the point of contact can contact da@hackerone.com for assistance on how to proceed. At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.\n* If no response or acknowledgment is received within 30 days, the report will be closed as informative.\n* As HackerOne has no control over the remediation of triaged Disclosure Assistance reports, HackerOne is unable to resolve reported bugs. These reports will be closed as informative unless the company contact directly confirms within the report itself that the bug can be closed as resolved.\n* HackerOne’s Mediation team does not act on mediation requests for Disclosure Assistance reports. If you have concerns about a Disclosure Assistance report, please comment within your report or contact da@hackerone.com. \n\n\nPlease be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ and encourage you to perform other contact attempts in parallel to our effort.\n\n# Questions?\nQuestions specific to a particular report should be asked within the report itself. If you need support or have questions on the Disclosure Assistance process, please contact da@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-05T16:00:36.398Z"},{"id":3676983,"new_policy":"# What is Disclosure Assistance?\n\nWhen a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, HackerOne introduced the [Directory](https://hackerone.com/directory) to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.\n\nSome organizations do not have well-defined methods of receiving vulnerability reports from external finders. In these situations, HackerOne will work with friendly hackers on a best effort basis to verify the legitimacy of a vulnerability, reach out to and verify the identity of an individual at the affected organization, then share the vulnerability with the organization so it can be resolved.\n\n# Why does HackerOne offer Disclosure Assistance?\n\nIt's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.\n\nIn the physical world, \"If you see something, say something.\" is a core tenet of any safe community. The same should be true online, yet far too often good samaritans are pressured to \"say nothing.\" Encouraging strong relationships with organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce risk for the individual and help close this crucial gap.\n\n# How does it work, exactly?\n\n* A friendly hacker finds a vulnerability.\n* They search the HackerOne [Directory](https://hackerone.com/directory) for a published security contact method and attempt alternative means of contact.\n* If the hacker has exhausted their options in their attempts to contact the organization, they can [request Disclosure Assistance](https://hackerone.com/disclosure-assistance/disclosure_assistance_requests/new).\n\nAt this point, the hacker provides information on their attempts to reach the affected organization along with the relevant vulnerability information. This vulnerability information is received by the HackerOne Disclosure Assistance team, who verifies the legitimacy of the bug, as well as determines the potential impact.\n\nAs Disclosure Assistance is a best-effort service, HackerOne does not accept Mediation Requests for Disclosure Assistance reports. HackerOne also prioritizes which bugs to assist with based on impact, and may be unable to assist with low-impact bugs. Please be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's [Vulnerability Reporting FAQ](https://www.eff.org/issues/coders/vulnerability-reporting-faq) and encourage you to perform other contact attempts in parallel to our effort.\n\nHackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information. Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerability information has been successfully shared with the affected organization.\n\nIf they’d like, the point of contact can create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability. Alternatively, the point of contact can contact da@hackerone.com for assistance on how to proceed. At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.\n\n# Questions?\n\nQuestions specific to a particular report should be asked on the report itself. If you need support or have questions on the Disclosure Assistance process, please contact da@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-09-02T17:51:24.404Z"},{"id":3552094,"new_policy":"# What is Disclosure Assistance?\n\nWhen a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, HackerOne introduced the [Directory](https://hackerone.com/directory) to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.\n\nSome organizations do not have well-defined methods of receiving vulnerability reports from external finders. In these situations, HackerOne will work with friendly hackers on a best effort basis to verify the legitimacy of a vulnerability, reach out to and verify the identity of an individual at the affected organization, then share the vulnerability with the organization so it can be resolved.\n\n# Why does HackerOne offer Disclosure Assistance?\n\nIt's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.\n\nIn the physical world, \"If you see something, say something.\" is a core tenet of any safe community. The same should be true online, yet far too often good samaritans are pressured to \"say nothing.\" Encouraging strong relationships with organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce risk for the individual and help close this crucial gap.\n\n# How does it work, exactly?\n\n* A friendly hacker finds a vulnerability.\n* They search the HackerOne [Directory](https://hackerone.com/directory) for a published security contact method and attempt alternative means of contact.\n* If the hacker has exhausted their options in their attempts to contact the organization, they can [request Disclosure Assistance](https://hackerone.com/disclosure-assistance/disclosure_assistance_requests/new).\n\nAt this point, the hacker provides information on their attempts to reach the affected organization along with the relevant vulnerability information. This vulnerability information is received by the HackerOne Disclosure Assistance team, who verifies the legitimacy of the bug, as well as determines the potential impact.\n\nAs Disclosure Assistance is a best effort service, HackerOne prioritizes which bugs to assist with based on impact and may be unable to assist with low impact bugs. Please be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's [Vulnerability Reporting FAQ](https://www.eff.org/issues/coders/vulnerability-reporting-faq) and encourage you to perform other contact attempts in parallel to our effort.\n\nHackerOne will attempt to contact the affected organization and verify the identity of an appropriate point of contact to receive the vulnerability information. Once their identity is verified, an email is sent to the point of contact with a secret link to the contents of the bug report and the interactions between the hacker and HackerOne. At this point, the vulnerability information has been successfully shared with the affected organization.\n\nIf they’d like, the point of contact can create an account on HackerOne to interact with the finder directly or provide updates on the resolution of the vulnerability. Alternatively, the point of contact can contact da@hackerone.com for assistance on how to proceed. At the end of this process, HackerOne will inquire about the organization's preferred vulnerability disclosure process (based on ISO 29147) to avoid the need for Disclosure Assistance in the future.\n\n# Questions?\n\nQuestions specific to a particular report should be asked on the report itself. If you need support or have questions on the Disclosure Assistance process, please contact da@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-24T21:39:30.505Z"},{"id":3550626,"new_policy":"# What is Disclosure Assistance?\nWhen a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, HackerOne  introduced the [Directory](https://hackerone.com/directory) to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.\n\nSome organizations do not have well-defined methods of receiving vulnerability reports from external researchers. In these situations, HackerOne will work with friendly hackers on a best effort basis to verify the legitimacy of a vulnerability, reach out to and verify the identity of an individual at the affected organization, then share the vulnerability with the organization so it can be resolved.\n\n# Why does HackerOne offer Disclosure Assistance?\nIt's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.\n\nIn the physical world, \"If you see something, say something.\" is a core tenet of any safe community. The same should be true online, yet far too often good samaritans are pressured to \"say nothing.\" Encouraging strong relationships with organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce risk for the individual and help close this crucial gap.\n\n# How does it work, exactly?\nIf a friendly hacker identifies a vulnerability, they search for the affected organization in the [HackerOne Directory](https://hackerone.com/directory). If the organization has a means of disclosure, the hacker will attempt that first. If the hacker has exhausted their options in trying to reach the organization, they can request Disclosure Assistance. At this point, the hacker agrees to the terms and conditions of the Disclosure Assistance service, provides information on their attempts to reach the affected organization, and submits a vulnerability report.\n\nThis vulnerability report is received by the HackerOne Disclosure Assistance team, who verifies the legitimacy of the bug, as well as determines the potential impact. As Disclosure Assistance is a best effort service, HackerOne prioritizes which bugs to assist with based on impact. In scenarios where bugs do not have a reasonable impact (e.g. clickjacking on a page with only static content), HackerOne may be unable to help. If the impact is significant, however, HackerOne will attempt to contact the affected organization and verify the identity of an appropriate individual to receive the vulnerability details. Once their identity is verified, an email is sent to this individual with a long, difficult to guess, obfuscated link. Clicking this link brings the individual to a logged out view of the bug report, where they can see all interactions between the hacker and HackerOne, as well as any internal comments tracking progress of the Disclosure Assistance request. At this point, the vulnerability details have been successfully shared with the affected organization. \n\nIf they’d like, the individual can create an account on HackerOne and interact with the researcher to ask for more information and provide updates on working towards resolving the vulnerability. Alternatively, the individual can contact da@hackerone.com for assistance on how to proceed. The individual also can express interest as to whether or not they would like to establish a documented means of vulnerability disclosure, or even start a bug bounty program on HackerOne.\n\n# Questions?\nQuestions specific to a particular report should be asked on the report itself. If you need support or have questions on the Disclosure Assistance process, please contact da@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-04-04T17:01:56.397Z"}]