[{"id":3774002,"new_policy":"# Program Rules\n- Do not test on production (https://app.hex.tech). For access to the bug bounty instance, please email `bug-bounty` at our domain, and provide your HackerOne handle.\n- Do not message support chat on https://app.hex.tech. \n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- AuthN/AuthZ on all interfaces - web, API, CLI, MCP, etc\n- AuthZ within AI agent interfaces\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- XSS on core app domain (not in cell outputs)\n- AI security impacting customer data\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access\n- JavaScript execution on cell output domains (*.hexoutputs.tech)\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n- Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-05-11T21:38:40.030Z"},{"id":3766352,"new_policy":"# Program Rules\n- Do not test on production (https://app.hex.tech). For access to the bug bounty instance, please email `bug-bounty` at our domain, and provide your HackerOne handle.\n- Do not message support chat on https://app.hex.tech. \n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- XSS on core app domain (not in cell outputs)\n- AI security impacting customer data\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access\n- JavaScript execution on cell output domains (*.hexoutputs.tech)\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n- Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-11-19T16:17:08.258Z"},{"id":3763445,"new_policy":"# Program Rules\n- Do not test on production (https://app.hex.tech). For access to the bug bounty instance, please email `bug-bounty` at our domain, and provide your HackerOne handle.\n- Do not message support chat on https://app.hex.tech. \n- No automated scanning of the app or API. (Except in narrow use cases with a specific goal in mind.)\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- XSS on core app domain (not in cell outputs)\n- AI security impacting customer data\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access\n- JavaScript execution on cell output domains (*.hexoutputs.tech)\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n- Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-22T16:58:14.654Z"},{"id":3762189,"new_policy":"# Program Rules\n- Do not test on production (https://app.hex.tech). For access to the bug bounty instance, please email `bug-bounty` at our domain.\n- Do not message support chat on https://app.hex.tech. \n- No automated scanning of the app or API. (Except in narrow use cases with a specific goal in mind.)\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- XSS on core app domain (not in cell outputs)\n- AI security impacting customer data\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access\n- JavaScript execution on cell output domains (*.hexoutputs.tech)\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n- Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-02T16:08:53.084Z"},{"id":3758796,"new_policy":"# Program Rules\n- No automated scanning of the app or API. (Except in narrow use cases with a specific goal in mind.)\n- No messaging help/support chat on https://app.hex.tech\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- XSS on core app domain (not in cell outputs)\n- AI security impacting customer data\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access\n- JavaScript execution on cell output domains (*.hexoutputs.tech)\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n- Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-10T02:09:48.348Z"},{"id":3758794,"new_policy":"# Program Rules\n- No automated scanning of the app or API. (Except in narrow use cases with a specific goal in mind.)\n- No messaging help/support chat on https://app.hex.tech\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- XSS on core app domain (not in cell outputs)\n- AI security impacting customer data\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n- Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-10T02:04:10.742Z"},{"id":3758231,"new_policy":"# Program Rules\n- No automated scanning of the app or API. (Except in narrow use cases with a specific goal in mind.)\n- No messaging help/support chat on https://app.hex.tech\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- XSS on core app domain, via HTML/JS output cells\n- AI security impacting customer data\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n- Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-26T22:19:02.964Z"},{"id":3755013,"new_policy":"# Program Rules\n- No automated scanning of the app or API. (Except in narrow use cases with a specific goal in mind.)\n- No messaging help/support chat on https://app.hex.tech\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n- Non-security bugs, or bugs without practical impact to confidentiality, integrity, or availability\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-05-07T16:03:45.033Z"},{"id":3754516,"new_policy":"# Program Rules\n- No automated scanning of the app or API. (Except in narrow use cases with a specific goal in mind.)\n- No messaging help/support chat on https://app.hex.tech\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Within kernel environments (e.g. in Python or SQL cells): remote code execution, arbitrary SQL execution, or filesystem access\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-28T18:55:06.918Z"},{"id":3754334,"new_policy":"# Program Rules\n- No automated scanning of the app or API\n    - Except in narrow use cases with a specific goal in mind. \n    - Spamming may result in exclusion from bug bounty.\n- No messaging help/support chat on https://app.hex.tech\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Remote code execution within kernel environments\n- Arbitrary SQL within kernel environments (e.g. in SQL or Python cells)\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n\nNote: The app allows you to be logged into multiple user accounts and orgs at the same time. To properly test cross-org authorization, you need to start with two separate browsers or profiles, ensure you're fully logged out on both, then on each browser log in with a different email address. Ensure that the attacker's email address isn't a member of the target org.\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-24T18:12:58.893Z"},{"id":3753991,"new_policy":"# Program Rules\n- No automated scanning of the app or API\n    - Except in narrow use cases with a specific goal in mind. \n    - Spamming may result in exclusion from bug bounty.\n- No messaging help/support chat on https://app.hex.tech\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Remote code execution within kernel environments\n- Arbitrary SQL within kernel environments (e.g. in SQL or Python cells)\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-18T16:59:13.316Z"},{"id":3753966,"new_policy":"# Program Rules\n- No automated scanning of the app or API\n    - Except in narrow use cases with a specific goal in mind. \n    - Spamming may result in exclusion from bug bounty.\n- No probing external systems, like 3rd party support chat.\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Remote code execution within kernel environments\n- Arbitrary SQL within kernel environments (e.g. in SQL or Python cells)\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":true,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Hex believes that working with skilled security researchers across the globe is critical for best protecting our customers and their data. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our web application. Good luck and happy hunting!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-17T15:59:33.451Z"},{"id":3753824,"new_policy":"# Program Rules\n- No brute-forcing or spamming. Be cautious if using automation.\n- No probing external systems, like 3rd party support chat.\n- Please provide [detailed reports](https://docs.hackerone.com/en/articles/8475116-quality-reports), along with [attack scenario](https://bughunters.google.com/learn/improving-your-reports/how-to-report/6379261818306560/write-down-the-attack-scenario). If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.\n- Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).\n- Only interact with accounts you own or with explicit permission of the account holder.\n\n# Focus Areas\n- Cross-tenancy (cross-workspace) data leakages\n- Broken access controls\n- Container escapes\n- Remote code execution (excluding kernel environments)\n- Input sanitization\n- [Hex API](https://learn.hex.tech/docs/develop-logic/hex-api/overview)\n\n# Out-of-Scope\n- [HackerOne Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings)\n- Remote code execution within kernel environments\n- Arbitrary SQL within kernel environments (e.g. in SQL or Python cells)\n- Access to product features from a different tier\n- User subscription upgrade or cancel flow\n\nThank you for helping keep Hex Technologies and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-04-15T18:45:04.849Z"}]