Coordinated Vulnerability Disclosure Policy

Effective date: 2026-06-02 Last updated: 2026-06-02

This Coordinated Vulnerability Disclosure Policy (this “Policy” or “VDP”) is published by Agentic Security, Inc., a Delaware corporation, doing business as “HackZero”, with its principal place of business at 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States (“HackZero”, “we”, “us”, or “our”). This Policy governs how security researchers may report security vulnerabilities in HackZero’s own systems and services (the “Services”), and the protections (the “Safe Harbor”) that apply to good-faith research conducted within the scope set out below.

Plain-language summary (not a substitute for the full Policy below)

  • We welcome reports about HackZero’s own systems. If you find a vulnerability in hackzero.ai, dashboard.hackzero.ai, or our API, please tell us at [email protected].
  • Good-faith research is authorized. If you stay within scope and follow the rules in Section 5, we authorize your research, we will not pursue or support legal action against you, and we will help establish your good-faith status if a third party does.
  • We will respond fast. We acknowledge reports within one business day, work to fix critical issues within seven days, and coordinate public disclosure with you, typically over about 90 days.
  • This is not a paid bug bounty. We do not currently pay monetary rewards. We will credit you if you wish. See Section 7.
  • Do not test customer systems through us. This Policy covers HackZero’s own infrastructure only. If you discovered a vulnerability in your own systems while using the HackZero platform, see Section 10.
  • One firm limit: stop and report if you encounter another person’s data; do not exfiltrate, destroy, or extort. See Section 5.

1. Introduction and purpose

HackZero operates an artificial-intelligence penetration-testing and red-team platform. Security is the substance of our product, and we hold our own systems to the standard we apply to our customers’ systems. We believe that independent security research, conducted in good faith and coordinated responsibly, makes our Services safer for everyone who relies on them.

The purpose of this Policy is to:

  1. invite and authorize good-faith security research against the HackZero systems identified in Section 3 (Scope);
  2. give researchers a clear, secure way to report what they find (Section 4);
  3. state our commitments to researchers, including response and remediation timelines and coordinated disclosure (Section 6);
  4. establish a legal Safe Harbor for good-faith research within scope (Section 8); and
  5. set out the rules that keep this program safe, lawful, and fair (Section 5).

This Policy is modeled on, and intended to be read consistently with, recognized industry standards for coordinated vulnerability disclosure, including the CISA Vulnerability Disclosure Policy Template, the federal VDP model directive CISA Binding Operational Directive 20-01 (which requires federal civilian agencies to publish a VDP and to which HackZero is not subject, but from which this Policy draws structure), ISO/IEC 29147:2018 (vulnerability disclosure) and ISO/IEC 30111:2019 (vulnerability handling), NIST Special Publication 800-216 (federal vulnerability disclosure guidelines), and the HackerOne Gold Standard Safe Harbor statement.

This Policy is referenced by, and is consistent with, our machine-readable security contact file published under RFC 9116 at https://hackzero.ai/.well-known/security.txt (see Section 9).

2. Definitions

For purposes of this Policy:

3. Scope

This Policy applies only to HackZero’s own systems. It does not authorize testing of any Customer System or of any third party. Confirm an asset is in-scope before testing it. When in doubt, ask first at [email protected].

3.1 In scope

The following HackZero-owned assets are in scope for good-faith security research under this Policy:

Authentication is session-cookie based. If you need a test account to research the authenticated dashboard or API, contact us at [email protected] and we will work with you. Do not test using another person’s account without that person’s explicit permission.

3.2 Out of scope

The following are expressly out of scope. Testing them is not authorized by this Policy, is not covered by the Safe Harbor in Section 8, and may be unlawful:

  1. Customer tenants, Customer data, and any Customer System. HackZero processes highly sensitive Customer confidential data, including source code accessed through a read-only GitHub App, target host and repository information, scan configurations, and vulnerability findings and exploit reproductions. You must not access, attempt to access, or interact with any Customer tenant or Customer data. HackZero cannot and does not authorize research on Customer Systems through this Policy (see Section 10).
  2. Subprocessor and third-party infrastructure. Systems operated by HackZero’s subprocessors or other third parties (for example, our cloud compute and managed-database host, our object storage provider, our CDN and WAF provider, our model-inference provider, our email providers, our source-code platform, our payment processor, and our identity providers) are not owned or controlled by HackZero. We cannot authorize research against them, and a third party is not bound by this Policy. Direct any such research to the relevant provider’s own disclosure program.
  3. Social engineering of any kind, including phishing, vishing, smishing, pretexting, or any attempt to deceive or manipulate HackZero personnel, contractors, customers, or vendors.
  4. Physical attacks, including against HackZero offices, facilities, personnel, or equipment, and including physical access attempts and dumpster diving.
  5. Denial-of-service (“DoS”) and distributed-denial-of-service (“DDoS”) testing, resource-exhaustion attacks, and any test designed or likely to degrade, disrupt, or impair the availability of the Services.
  6. Automated scanning or fuzzing that degrades service, generates excessive traffic, or impairs the experience of other users. High-volume automated tooling against production systems is not authorized. If you wish to run automated tooling, contact us first to arrange rate limits and a window.

The following finding types are generally considered low value or out of scope unless you can demonstrate a realistic, exploitable security impact: reports from automated scanners without a working proof of concept; missing security headers or cookie flags with no demonstrated impact; SPF, DKIM, or DMARC configuration suggestions; clickjacking on pages with no sensitive state-changing action; self-XSS that cannot be used against another user; rate-limiting reports that do not show concrete harm; software version disclosure without an associated exploit; and theoretical issues without a practical attack scenario. We still appreciate hearing about these, and we will read every report.

4. How to report a vulnerability

4.1 Where to send your report

Email your report to [email protected]. This is the canonical security contact published in our RFC 9116 security.txt file (Section 9).

If you wish to encrypt your report, encryption is available on request: contact us at [email protected] and we will provide our current public key after first contact.

4.2 What to include

To help us triage and reproduce your report quickly, please include as much of the following as you can:

  1. A clear description of the Vulnerability and its security impact.
  2. The affected asset, including the specific URL, host, endpoint, parameter, or component, and which in-scope asset from Section 3.1 it belongs to.
  3. Step-by-step reproduction instructions, written so that our team can reproduce the issue.
  4. A proof of concept (for example, a minimal request, script, or sequence of steps). Keep it to the minimum necessary to demonstrate the issue. Do not weaponize it, and do not include real personal data of others (see Section 5).
  5. Supporting evidence such as screenshots, request and response captures, or short video, with any third-party personal data redacted.
  6. The configuration you used, including relevant browser, client, tooling, IP address or source you tested from, and the date and time (with time zone) of your testing.
  7. Your contact details and whether you wish to be credited (Section 7).

One Vulnerability per report, where practical, helps us triage faster. If you believe you have found a chain of issues, you may describe the chain in a single report.

4.3 Language

We accept reports in English. You may also submit in Spanish or Portuguese, and we will do our best to respond promptly; processing may take slightly longer to allow for translation. Our security.txt file (Section 9) declares en as our preferred language for the fastest handling, and reports in Spanish or Portuguese remain welcome.

5. Rules for researchers

To remain authorized under this Policy and protected by the Safe Harbor in Section 8, you must follow these rules. These rules also reflect the limits that law places on what HackZero can authorize.

  1. Stay in scope. Test only the in-scope assets in Section 3.1. Do not test out-of-scope assets in Section 3.2.
  2. Do no harm; act in good faith. Conduct only good-faith security research as defined in Section 2. Use only the access and techniques reasonably necessary to identify and demonstrate a Vulnerability.
  3. No privacy violations. Do not access, collect, store, or use the personal data of any other person. Do not intercept communications of others. Authorization under this Policy does not waive, and cannot waive, the rights of HackZero personnel, customers, end users, or other third parties, including rights under the U.S. Stored Communications Act (18 U.S.C. section 2701), the U.S. Wiretap Act (18 U.S.C. section 2511), and equivalent privacy laws in Canada and Latin America.
  4. No data exfiltration beyond a minimal proof of concept. Do not download, copy, retain, or transfer data beyond the minimum necessary to prove the Vulnerability. If you can demonstrate access without retrieving sensitive content (for example, by showing that an endpoint returns another user’s record identifier rather than copying the record), do that instead.
  5. Stop and report on access to others’ data. If at any point you encounter, or believe you may have encountered, personal data, credentials, or confidential information belonging to another person or to a HackZero Customer, stop immediately, do not access further, do not retain copies, and report it to us at [email protected] without delay. Tell us what you saw and what you did so we can respond.
  6. No service degradation. Do not perform DoS or DDoS testing, and do not run automated tooling at a volume or rate that degrades the Services or affects other users (Section 3.2, items 5 and 6).
  7. No destructive testing. Do not delete, alter, or render unavailable any data, and do not pivot to, install backdoors in, or persist on any system. If a Vulnerability could allow destructive impact, demonstrate it in the least intrusive way and describe the rest.
  8. No extortion. Do not condition disclosure of a Vulnerability on payment or any other benefit, and do not threaten to disclose, sell, or withhold a Vulnerability. Extortion is not security research, is not authorized, and is not protected by the Safe Harbor.
  9. No use of findings to compete. Do not use access obtained under this Policy to reverse engineer, train on, or duplicate the Services or our models in order to build a competing product or service.
  10. Coordinate disclosure. Do not publicly disclose a Vulnerability before HackZero has had a reasonable opportunity to investigate and remediate, and follow the coordinated-disclosure process in Section 6. Do not disclose any third-party or Customer data you may have encountered at any time.
  11. Comply with law. Conduct your research in compliance with all applicable laws. This Policy authorizes activity against HackZero’s own assets only; it does not authorize you to violate any law or the rights of any third party.

If you are unsure whether an action is permitted, contact us at [email protected] before taking it. We would rather answer a question than learn about a problem afterward.

6. Coordinated disclosure process and our commitments

6.1 Our commitments to you

When you report a Vulnerability in good faith and within scope, HackZero commits to:

  1. Acknowledge receipt of your report within one (1) business day.
  2. Triage your report and provide an initial assessment, including a preliminary severity rating and our expected next steps, promptly after acknowledgment, and to maintain reasonable communication with you throughout.
  3. Remediate validated Vulnerabilities on a risk-prioritized basis, and to work to patch critical-severity Vulnerabilities within seven (7) days of validation. Lower-severity issues are remediated on a reasonable timeline that we will communicate to you.
  4. Coordinate public disclosure with you. Our default target is coordinated public disclosure within approximately ninety (90) days of your report, or sooner once a fix is deployed, on a timeline mutually agreed with you. If remediation requires more time, we will tell you why and work with you on a revised date rather than letting the matter go silent.
  5. Credit you for your contribution if you wish (Section 7).
  6. Treat you as an ally. We will not pursue or support legal action against you for good-faith research within this Policy, and we will help establish your good-faith status if a third party pursues action against you (Section 8).

Severity is assessed using the Common Vulnerability Scoring System (CVSS v3.1 / v4.0). “Critical” means a CVSS base score of 9.0 or higher, or an issue we otherwise determine presents critical risk.

6.2 What we ask of you during coordination

6.3 Disclosure timeline expectations

The ninety-day target is a default, not a deadline that overrides safety. For Vulnerabilities that are being actively exploited, or that present imminent risk to people or data, we will move faster and may ask you to as well. For Vulnerabilities that require coordination with a subprocessor or upstream vendor, disclosure may follow that vendor’s timeline; we will keep you informed.

7. Recognition and credit

If you would like recognition, tell us in your report and let us know the name or handle you would like us to use. With your permission, we will credit you when we disclose the Vulnerability, and we may maintain a public acknowledgments page. You may also choose to remain anonymous. We will not publish your identity without your consent.

8. Safe Harbor

This Section is the heart of this Policy. It is modeled on the HackerOne Gold Standard Safe Harbor statement and the disclose.io safe-harbor framework, and it is intended to give you clear, reliable assurance for good-faith research.

8.1 Authorization

When you conduct good-faith security research on in-scope assets (Section 3.1) in compliance with this Policy (Sections 4 and 5), HackZero authorizes that research. We consider activity undertaken consistent with this Policy to be authorized access for purposes of the laws listed in Section 8.2. To the extent any provision of our Terms of Service or Acceptable Use Policy (/legal/terms, /legal/acceptable-use) would otherwise prohibit or restrict good-faith security research that complies with this Policy, HackZero waives that restriction for the limited purpose of the research authorized here, and only for in-scope assets.

For good-faith security research that is within the Scope of Section 3.1 and complies with the Rules of Section 5, HackZero will not initiate, pursue, or support civil or criminal legal action against you, and will not report you to law enforcement, including any action arising under:

Your authorized activity is “good-faith security research” within the meaning of the United States Department of Justice charging policy at Justice Manual section 9-48.000 (May 19, 2022) and the good-faith security research framing in the CISA Vulnerability Disclosure Policy Template.

8.3 We will help establish your good-faith status

If a third party brings legal action against you for activity that you conducted in good faith and in compliance with this Policy, HackZero will take steps to make known, publicly and to the relevant parties, that your activity was authorized good-faith security research conducted under this Policy, including by providing a statement to that effect where appropriate. Whether your activity qualifies as good-faith research under this Policy is to be determined by mutual agreement between you and HackZero, reasonably and in good faith, and will not be withdrawn by HackZero unilaterally or after the fact for activity that complied with this Policy when conducted.

8.4 Limits of the Safe Harbor

You should understand the boundaries of this Safe Harbor:

  1. In-scope, good-faith, compliant activity only. The Safe Harbor covers only research that is within the Scope of Section 3.1, conducted in good faith, and compliant with the Rules of Section 5. Out-of-scope activity, bad-faith activity, and activity that violates the Rules is not authorized and not protected.
  2. We can only speak for ourselves. HackZero can authorize research only against assets it owns or controls. We cannot authorize research on Customer Systems, on subprocessor or third-party infrastructure, or on any system we do not own or control, and a third party is not bound by this Policy. Section 1201(j) and section 1030 both require the owner or operator’s authorization; we can provide that only for our own assets.
  3. We cannot waive third-party rights. This Safe Harbor does not waive, and cannot waive, the rights of HackZero employees, customers, end users, or other third parties, including privacy rights under the Stored Communications Act (18 U.S.C. section 2701), the Wiretap Act (18 U.S.C. section 2511), and equivalent Canadian and Latin American privacy and data-protection laws.
  4. We cannot bind governments or third-party plaintiffs. This Safe Harbor binds HackZero. It does not bind government prosecutors, regulators, or third-party civil plaintiffs, and it does not prevent them from acting. The Department of Justice charging policy referenced above is prosecutorial discretion that binds the Department of Justice; it does not bind state attorneys general or private litigants.
  5. Compliance with law remains your responsibility. Nothing in this Policy authorizes you to violate any law or the rights of any third party.

If you are unsure whether your planned research falls within this Safe Harbor, contact us at [email protected] before you begin, and we will tell you.

9. security.txt (RFC 9116)

HackZero publishes a machine-readable security contact file in accordance with RFC 9116. The canonical location is:

https://hackzero.ai/.well-known/security.txt

It currently includes the following fields:

We renew the Expires value before it lapses so the file remains RFC 9116-compliant, and we maintain the file as our contact details, preferred languages, and acknowledgments practices evolve.

10. Reporting vulnerabilities you found via HackZero in YOUR systems

This Section is for HackZero Customers and is separate from the Coordinated Vulnerability Disclosure Policy above.

The Policy in Sections 1 through 9 governs vulnerabilities in HackZero’s own systems. It does not apply to vulnerabilities that the HackZero platform discovers in your own applications or infrastructure during an engagement.

If you are a HackZero Customer and the platform has surfaced a vulnerability in your systems:

Please do not report a vulnerability in your own systems to [email protected] as if it were a HackZero vulnerability. Doing so does not create a Safe Harbor for testing your own or any third party’s systems, and it slows our response to genuine reports about HackZero’s infrastructure.

If you believe a vulnerability exists in the HackZero platform itself (for example, in dashboard.hackzero.ai or the API), that is in scope, and we want to hear about it under Sections 1 through 9.

11. Relationship to other HackZero documents

This Policy is one of a set of HackZero legal documents. It should be read together with, and does not override, the following, each available on our website:

This Policy is published at /legal/security. In the event of a conflict between this Policy and a negotiated MSA or RoE as to a particular Customer engagement, the MSA or RoE governs that engagement; this Policy continues to govern research against HackZero’s own systems.

This Policy establishes a coordinated vulnerability disclosure program with a Safe Harbor. It is not a paid bug-bounty program. HackZero does not offer, and is not obligated to pay, any monetary reward, bounty, fee, or other compensation for reports submitted under this Policy, unless HackZero expressly states otherwise in writing for a specific report or program. Submitting a report does not create any expectation of payment, any employment or contractor relationship, or any partnership between you and HackZero. We may credit you (Section 7) and we are grateful for your work, but recognition is not compensation. If HackZero launches a paid bounty in the future, it will be governed by its own separate, clearly identified terms.

Nothing in this Policy creates a contract for the sale or licensing of any vulnerability, and nothing here transfers ownership of any HackZero intellectual property to you.

13. Changes to this Policy

We may update this Policy from time to time. We will post the updated version at /legal/security and revise the “Last updated” date above. Material changes take effect when posted. The version of this Policy in effect at the time you conduct your research governs that research; we will not retroactively withdraw the Safe Harbor for activity that complied with the Policy in effect when it was conducted (Section 8.3).

14. Contact

Notice address (legal service and formal notices): Agentic Security, Inc., a Delaware corporation, doing business as HackZero 2810 N Church St STE 88242 Wilmington, Delaware 19802 United States [email protected]

Copyright Agent (DMCA notices): Copyright Agent, Agentic Security, Inc., 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States, [email protected].

Governing law. This Policy is governed by the laws of the State of Delaware, USA, without regard to its conflict-of-laws rules. Any dispute arising out of or relating to this Policy is resolved as provided in our Terms of Service (/legal/terms), including the Terms’ binding-arbitration and class-action-waiver provisions, except that either party may seek injunctive or other equitable relief in the state or federal courts located in New Castle County, Delaware to protect its intellectual property or Confidential Information or to address unauthorized access, consistent with the Terms. Nothing in this section overrides a non-waivable right of a business customer under the mandatory law of its jurisdiction.

Language. This Policy is published with English as the master version, and Spanish, Brazilian Portuguese, and French (Quebec) translations are made available to researchers in those markets. If there is any conflict between the English version and a translation, the English version controls, except where the mandatory local law of a researcher’s jurisdiction requires the local-language version to govern.

Agentic Security, Inc. (d/b/a HackZero) thanks the security research community. Reporting a vulnerability responsibly helps protect everyone who relies on our Services.