Disclosure Policy

Last modified on June 30th 2021

1. Vulnerability Disclosure on WhiteHub

WhiteHub believes that the coordinated, orderly, public disclosure of vulnerabilities is a healthy and important part of the vulnerability disclosure process. The following disclosure policies apply to all submissions made through the WhiteHub platform (including New, Triaged, Unresolved, Resolved, Duplicates, Out of Scope, Not Applicable, and Won’t Fix submissions). Program Owners and researchers are encouraged to work together for sharing information in a mutually agreed manner. This section explains disclosure options at WhiteHub to both Program Owners and Researchers.

2. Coordinated Disclosure

Coordinated Disclosure is the default recommended policy for all new public programs, and is strongly recommended but optional for ongoing private bounty programs. In this model, Program Owners commit to allowing researchers to publish mutually agreed information about the vulnerability after it has been fixed. Program Owners require explicit permission to disclose in the submission record. This applies to all the submissions for the program, regardless of validity or acceptance.

In the principle of WhiteHub’s Coordinated Disclosure, researchers can externally disclose limited or full disclosures approved by Program Owners.

WhiteHub’s Coordinated Disclosure allows Program Owners and Researchers to work through the disclosure process, during which, all parties must agree for a date and the disclosure level (limited or full) for a vulnerability or exploit to be disclosed. Once the vulnerability or exploit is disclosed on WhiteHub’s platform, the Researcher can disclose the vulnerability or exploit publicly as long as it adheres to the agreed type of disclosure - limited or full, and any other parameters agreed for the disclosure.

When you disclose a submission publicly, your profile photo (avatar) from your private profile will also be revealed along with your username.

3. Nondisclosure

Nondisclosure is the default policy for Next Generation Penetration Testing. It is common in private bounty programs. In the absence of a Coordinated or Custom Disclosure policy (or in the case of any ambiguity) the expectation of the Researcher and the Program Owner is nondisclosure. This is documented in our Researcher terms and conditions and Code of Conduct.

**This means no submissions may be publicly disclosed at any time and is designated by the following text in the program bounty brief:

“Disclosure - Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.”

4. Custom Disclosure

In some cases, WhiteHub customers customize disclosure requirements in their bounty brief.

5. Program Disclosure

The existence or details of private programs must not be communicated to anyone who is not a WhiteHub employee or an authorized employee of the organization responsible for the program.

If there is a conflict between the disclosure terms listed on a Program’s brief and the WhiteHub's Researcher Terms and Conditions, the Program Brief supersedes the WhiteHub’s terms. If you have any questions, send an email to support@whitehub.com.

6. Accidental Disclosure: Insecure POC video sharing

It is recommended to include a video or screenshot as Proof-of-Concept in your submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (that is, YouTube, Imgur, and so on). If the file exceeds 100MB, upload the file to a secure online service such as Vimeo, with a password.