The vulnerability disclosure policy on the HackenProof is based on the mutual agreement by default. The bug hunter may request the disclosure of the vulnerability report as soon as the report status changes to the "Resolved", meaning the vulnerability was fixed. If the security team of the program and the bug hunter agree, the report's content will be disclosed in the discussed timeline.

The program security team is allowed to disclose the report without the bug hunter's agreement in the following scenarios:

1. The security team detected exploitation of the submitted vulnerability and disclose remediation steps, to secure users.

2. The security team accepts the risk of the issue described in the report and will not fix it, making the users aware of this issue referring to the report.

In both scenarios, the personal data of the submitter must be hidden.