You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When disclosing reports, you can choose to limit the information that’s shared instead of disclosing the report in full detail. There are 2 ways you can limit information:
8
+
* Redacting sensitive information
9
+
* Limiting visibility
10
+
11
+
You can choose to limit information published in a report at the time you disclose the report and after the report has been made public.
12
+
13
+
### Redacting Reports
14
+
Some reports may contain sensitive information or information that’s not meant to be for the general public. Redacting reports enables you to censor specific words or characters from being visible to readers. Once you redact any string, the specified string will be blacked out throughout the report as seen in the image below. Keep in mind that once you redact something from a report, it’ll permanently and irreversibly be redacted.
5. <i>(Optional)</i> Click **Preview** to see how the redactions will look in the report.
25
+
6. Click **Redact**.
26
+
27
+
If you have multiple strings that you want to redact, repeat steps 2-6.
28
+
29
+
### Limiting Visibility
30
+
In addition to redacting reports, you can limit the visibility of reports by selecting to have Limited disclosure. When you select to have limited instead of full public disclosure, only the summary and timeline of the report are visible and all comments and attachments are hidden.
If your report is already fully disclosed, click **Public (Full)** in the report metadata to toggle the report to have limited disclosure. You can toggle between Full and Limited disclosure at anytime. Just click **Public (Limited)** to toggle back to full disclosure.
Copy file name to clipboardExpand all lines: docs/programs/public-disclosure.md
+12-27Lines changed: 12 additions & 27 deletions
Original file line number
Diff line number
Diff line change
@@ -10,47 +10,32 @@ Programs can choose from 3 disclosure settings:
10
10
11
11
Option | Detail
12
12
------ | -------
13
-
Disclosure by Default | The hacker or your security team can request public disclosure for any closed report in your program. If the admin of your program agrees to disclosure, the contents of the report will be made public within 30 days.<br> <br>*This is the default setting for all verified programs*.
14
-
Disclosure requiring Mutual Agreement | The hacker can request public disclosure for any closed report in your program. If your program security team agrees to disclosure, the contents of the report will be made public. If the security team doesn't take any action, the contents of the report will remain private. <br>*You must request to opt-in to this option.*
13
+
Disclosure by Default | The hacker or your security team can request public disclosure for any closed report in your program. If the admin of your program agrees to disclosure, the contents of the report will be made public within 30 days.<br> <br>*This is the default setting for all verified programs*.
14
+
Disclosure requiring Mutual Agreement | The hacker can request public disclosure for any closed report in your program. If your program security team agrees to disclosure, the contents of the report will be made public. If the security team doesn't take any action, the contents of the report will remain private. <br>*You must request to opt-in to this option.*
15
15
Disclosure Disabled | Public disclosure isn't allowed for any report.
16
16
17
17
### Requesting Public Disclosure
18
18
Both hackers and program members can request public disclosure. To request public disclosure:
19
-
1) Go to the report you want to publicly disclose.
20
-
2) Make sure the report is closed.
21
-
3) Select **Request public disclosure** in the action picker at the bottom of the report.
22
-
4) Select whether you want to disclose the **Full** report or **Limited**.
23
-
19
+
1) Go to the report you want to publicly disclose.
20
+
2) Make sure the report is closed.
21
+
3) Select **Request public disclosure** in the action picker at the bottom of the report.
22
+
4) Select whether you want to disclose the **Full** report or **Limited**.
23
+
24
24
Option | Details
25
25
------ | -------
26
-
Full | Upon public disclosure, the full contents of the report are visible including:<ul>Vulnerability information</ul><ul>Summary</ul><ul>Timeline such as comments and attachment</ul><br>*Note: Internal comments are hidden.*
26
+
Full | Upon public disclosure, the full contents of the report are visible including the:<li>Vulnerability information</li><li>Summary</li><li>Timeline which includes comments and attachments</li><br>*Note: Internal comments are kept hidden.*
27
27
Limited | Only the summary and timeline of the activity are visible. All comments and attachments are hidden. Limited disclosure allows for greater control over sensitive or extraneous information.
28
-
29
-
5)*(Optional)* Enter a comment to describe your reasons for public disclosure.
28
+
29
+
5)*(Optional)* Enter a comment to describe your reasons for public disclosure.
After public disclosure has been requested, the admin of the of the program can choose to publicly disclose the report. They can select **Disclose publicly** to disclose the report.
34
+
After public disclosure has been requested, the admin of the of the program can choose to publicly disclose the report. They can select **Disclose publicly** to disclose the report.
When publishing reports, the security team can choose to disclose the report in full or limit the information published. The default is to display all the communication between the hacker and the security team from first report to resolution. There are 2 times the security team can choose to limit information published in a report:
41
-
* At the time they disclose the report
42
-
* After the report has been made public
43
-
44
-
There are 2 ways a security team can limit the information shared:
45
-
46
-
Option | Detail
47
-
------ | -------
48
-
Redacting Sensitive Information | You can redact information in your report. In the **Visibility** field in your report, select **Redact**. This will enable you to provide the string of words you permanently want to redact from your report. <br>
49
-
Limiting Visibility | Only the summary and timeline of the report are visible and all comments and attachments are hidden. You can limit visibility when requesting public disclosure.
50
-
51
-
Here's a good example of a summarized disclosure from the Shopify security team: https://hackerone.com/reports/64164.
52
-
53
-
This diagram illustrates HackerOne's public disclosure process:
38
+
This diagram illustrates HackerOne's public disclosure process:
0 commit comments