About Us
hackertop.com is a community built by constructive hackers. We champion exploration of limits, knowledge sharing, and technical freedom. We firmly believe that good-faith security research is a key driving force for making the internet safer and more resilient. This policy aims to build a bridge of trust, ensuring that "breakthroughs" are used for protection, not destruction.Scope
This policy covers hackertop.com's main site, subdomains, APIs, and online services directly maintained by the community. For community open-source projects hosted on third-party platforms, please refer to their respective security policies.Our Commitment
To every researcher who adheres to this policy in good faith, we make the following solemn commitments:Timely Response:
Acknowledge receipt within 72 hours of receiving a report and assign a dedicated person to follow up.Transparent Collaboration:
Keep you informed of progress with candor during vulnerability assessment and remediation. Even if an issue is ultimately classified as low risk, we will explain the reasoning.Timely Remediation:
Our general remediation timeframe is 90 days. Complex vulnerabilities may warrant a flexible extension, which we will communicate in advance along with an interim plan.No Legal Threats:
As long as the researcher fully complies with this policy, we will not initiate civil litigation against them nor report them to law enforcement.Coordinated Disclosure:
Before any public disclosure, we will negotiate the timing with the reporter, unless the vulnerability is already under active exploitation in the wild.Researcher's Commitment (Safe Harbor Terms)
To receive the protections outlined above, we ask researchers to uphold the ethical view of "constructive breakthroughs" and follow these guidelines:Good Faith and Patience:
Give us adequate time (at least 90 days) to complete the fix. Before then, do not disclose or share vulnerability details with unrelated parties.Minimize Damage:
Limit actions strictly to verifying the existence of the vulnerability. Do not use the vulnerability to access, modify, or delete user data; do not disrupt services (Denial of Service or regional blocking); do not conduct social engineering attacks or physical intrusion.Timely Cessation:
Immediately cease all operations that may affect the system or privacy after verification, and completely delete any temporary data generated during the process.Dedicated Communication Channel:
Submit reports via the designated email below. Do not discuss unpatched vulnerabilities on public forums, social media, or personal blogs ahead of time.Lawful and Compliant:
Research activities must comply with applicable laws and regulations. As long as you abide by the above commitments in good faith, your security research will be regarded as authorized conduct. If a third party threatens legal action against you because of this, we will explicitly inform them that your actions are consistent with this community policy.How to Submit a Report
Please send a detailed vulnerability report to: security@hackertop.com (PGP encryption welcome; Key ID: TBD) The report should ideally include: - Vulnerability type and a clear description - Stable reproduction steps or Proof of Concept (PoC) code - Assessment of potential impact - The pseudonym under which you wish to be credited, or a request for anonymityProcessing Timeline
Initial Response:
Acknowledge receipt within 72 hours and provide an initial severity rating (Critical / High / Medium / Low).Progress Updates:
Proactively update on the remediation status every 14 days until the fix is complete or a mutual agreement is reached.Fix Deployment:
Aim to deploy a fix within 90 days. If an extension is needed, we will seek the researcher's understanding in advance.Public Disclosure:
After the fix is deployed, we will discuss the time and form of public notice together with you and give due credit. If both parties agree, the vulnerability may also remain undisclosed.Acknowledgements & Hall of Fame
We regard every good-faith reporter as a co-builder of the community. For confirmed valid vulnerabilities, after remediation we will: - Permanently credit you on the hackertop.com "Security Hall of Fame" page (pseudonym or anonymity accepted). - Potentially grant special community badges, souvenirs, or priority participation in internal events. - Fully respect the reporter's choice not to be publicly identified.Out-of-Scope Issues
The following situations are generally not considered valid vulnerabilities, though improvement suggestions are still welcome: - Missing security-related HTTP headers that do not demonstrate a direct risk - Clickjacking exploitation in extremely low-risk scenarios - Publicly known vulnerabilities for which an official patch already exists - SPF/DKIM/DMARC configuration issues (unless they can be practically exploited for forgery) - Mere exposure of software version information without additional corroborating risk evidence In special cases, the community reserves the right to exercise flexible handling.Policy Revisions
This policy may be updated as the community grows. Significant changes will be announced within the community in advance. We recommend reviewing the latest version before each report submission.Thank you for choosing to "break through" in a constructive way. Together with hackertop.com, let freedom and sharing always run upon a solid foundation of security.
