0xHunter0xHunter

Responsible Disclosure

Last updated: February 13, 2026

What is Responsible Disclosure?

Responsible Disclosure, also known as Coordinated Vulnerability Disclosure (CVD), is a practice in which security researchers who discover vulnerabilities in software, systems, or infrastructure report their findings directly to the affected organization rather than publicly disclosing them. The goal is to give the organization a reasonable opportunity to investigate, remediate, and deploy fixes before the vulnerability becomes publicly known and potentially exploited by malicious actors.

This collaborative approach benefits all parties: organizations can protect their users and systems, researchers are recognized for their contributions to security, and the broader community benefits from safer technology.

How It Works on OpenHunt

Organizations that host programs on the OpenHunt publish a program policy that defines the scope of their assets, the types of vulnerabilities they are interested in, their rules of engagement, and the rewards or recognition they offer. Security researchers review these policies and, if they choose to participate, conduct testing in accordance with the program's terms.

When a researcher discovers a vulnerability, they submit a report through the Platform. The organization receives the report, evaluates the finding, and works toward remediation. Throughout this process, the researcher and the organization communicate through the Platform until the issue is resolved.

Researcher Commitments

By participating in any program hosted on the OpenHunt, researchers commit to the following principles:

  • Test only within the defined scope. Only assets and systems explicitly listed as in-scope in the program policy are authorized for testing. Any system not explicitly included is off-limits.
  • Do not cause harm. Avoid actions that could disrupt services, corrupt data, or negatively impact the organization's users. Do not access, modify, or delete data belonging to other users.
  • Report, do not exploit. Once a vulnerability is discovered, stop testing further on that issue and report it promptly. Do not leverage discovered vulnerabilities for personal gain, unauthorized access, or to pivot into other systems.
  • Do not disclose publicly. Do not share, publish, or disclose vulnerability details — publicly or to third parties — until the organization has confirmed that the issue has been remediated and has authorized disclosure, or until the disclosure deadline specified in the program policy has elapsed.
  • Submit original, good-faith reports. Reports must be accurate, original work with sufficient detail for the organization to reproduce and verify the finding. Submitting fraudulent, fabricated, duplicate, or plagiarized reports is prohibited.
  • Respect the program policy. Each program may have its own specific rules of engagement, testing restrictions, and communication guidelines. Researchers must read and follow these rules in their entirety.
  • Act within the law. Researchers are responsible for ensuring their activities comply with all applicable laws and regulations in their own jurisdiction and in the jurisdiction of the organization being tested.

Organization Commitments

Organizations that host programs on the Platform are expected to:

  • Publish a clear program policy. Define in-scope assets, out-of-scope items, rules of engagement, response timelines, and reward structures (if applicable) so researchers can participate with full knowledge of the terms.
  • Respond in good faith. Acknowledge reports, provide status updates, and work toward timely remediation in accordance with their published response SLAs.
  • Honor Safe Harbor. Not pursue legal action against researchers who act in good faith and in compliance with the program policy and applicable laws.
  • Honor stated rewards. If operating a Bug Bounty Program (BBP), fulfill bounty commitments as defined in their program policy.

Safe Harbor

Each program hosted on the OpenHunt may include Safe Harbor provisions. Safe Harbor means that the organization commits to not taking legal action against researchers who:

  • Act in good faith compliance with the program policy.
  • Test only within the authorized scope.
  • Report vulnerabilities through the proper channels without public disclosure.
  • Do not cause intentional damage, data loss, or service disruption.
  • Comply with applicable laws.

Important: Safe Harbor provisions are defined and offered by each Program Owner individually. OpenHunt, as a SaaS infrastructure provider, does not define, guarantee, enforce, or assume any liability for Safe Harbor commitments made by organizations on the Platform. Researchers should carefully review each program's specific Safe Harbor terms before participating. When in doubt, seek independent legal advice.

What Happens If You Follow the Rules?

If you conduct your research in accordance with the program's published policy, within the defined scope, and in compliance with these principles and applicable laws, you are acting as an authorized security researcher. Organizations that host programs on the Platform have agreed to treat compliant research as authorized activity and to engage with you in good faith.

In practice, this means:

  • Your report will be received, acknowledged, and evaluated.
  • You will receive status updates as the organization works toward remediation.
  • If the program offers rewards, you will be compensated in accordance with the published reward structure.
  • If the program offers recognition, you may be listed on the organization's Hall of Fame.
  • The organization will not take legal action against you for authorized research activity.

What Happens If You Break the Rules?

Research activities that fall outside the program's policy, scope, or these principles are not covered by Safe Harbor protections. This includes, but is not limited to:

  • Testing assets or systems not listed as in-scope.
  • Accessing, exfiltrating, or destroying data belonging to the organization or its users.
  • Publicly disclosing vulnerabilities without authorization.
  • Attempting to extort, threaten, or pressure an organization into paying a reward.
  • Performing denial-of-service attacks or other disruptive testing.
  • Using discovered vulnerabilities for unauthorized access beyond what is necessary to demonstrate the issue.

Researchers who violate these rules may have their accounts suspended or terminated, and may face legal consequences from the affected organization. OpenHunt is not responsible for and will not intervene in legal actions arising from non-compliant research.

Platform Disclaimer

OpenHunt operates exclusively as a SaaS infrastructure provider. The Platform facilitates communication between organizations and security researchers but is not a party to any program, does not control how programs are operated, and does not assume any responsibility for the actions, omissions, policies, or commitments of either Program Owners or Researchers. All program terms, including Safe Harbor, rewards, scope, and rules of engagement, are defined and enforced solely by the respective Program Owner.

Questions?

If you have questions about responsible disclosure, how programs work on 0xHunter, or need help understanding a program's policy, contact us at info@0xhunter.io.