Responsible Disclosure Policy


At Hutility, we work vigilantly to protect our customers information and assets within our applications and systems.

Keeping Hutility customer and user information safe and secure is a top priority and we recognize the important role that security researchers play in achieving this. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified within an application or system belonging to us.

If you discover a vulnerability relating to our applications and systems please notify us using the guidelines below.

To encourage responsible disclosure, we commit that if we conclude that a disclosure respects and meets all the guidelines outlined below we will not bring a private action or refer a matter for public inquiry.

Guidelines for responsible disclosure

  • Share the discovered vulnerability with us before making it public to peers, on message boards, mailing lists, and other forums.
  • Allow us reasonable time to respond to the issue before disclosing it publicly.
  • Provide full details of the security issue and describe how you found it so we may reproduce the issue.
  • Contact us immediately if you inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data, and immediately purge any local information upon reporting the vulnerability to us.
  • Understand that we use services that are not under our control. Reporting vulnerabilities in 3rd party services (e.g. Azure Websites, Mixpanel, HubSpot, etc.) will be forwarded to the corresponding partner companies. We will not be triaging such cases.
  • Do not engage in potential or actual denial of service of Hutility applications and systems.
  • Do not engage in use of an exploit to view data without authorization, or corruption of data.
  • Do not request for direct compensation for the reporting of security issues either to Hutility, or through any external marketplace for vulnerabilities, whether black-market or otherwise.

Report security vulnerabilities to

  • security@hutility.com

Please include an email address where we can reach you in case we need more information.

We take security seriously and will respond quickly to fix verifiable security issues. When properly notified of legitimate issues, we will do our best to acknowledge your emailed report, assign resources to investigate the issue, and fix potential problems as quickly as possible.

Reward

Hutility does NOT currently offer compensation through a "bug bounty" program for vulnerabilities that are disclosed.

We will, based on our discretion, give our thanks and acknowledgement for new and interesting reports in our thanks section of this page.

Please note however that providing a report does not guarantee a credit.

Focus Areas

Please keep testing of vulnerabilities within the following domains ONLY:

  • hutility.com

Any websites or applications not listed above, are OUT OF SCOPE

Out of scope

The following are out of scope for submission under the this policy. Out of scope vulnerabilities include:

  • Social Engineering, such as attempts to steal cookies, fake login pages to collect credentials, and phishing
  • Denial of service attacks
  • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Login/logout CSRF.
  • Attacks requiring physical access to a user's device.
  • Missing security headers which do not lead directly to a vulnerability.
  • Use of a known-vulnerable library (without evidence of exploitability).
  • Reports from automated tools or scans.
  • Reports of spam (i.e., any report involving ability to send emails without rate limits).
  • Presence of autocomplete attribute on web forms.
  • Rate limit testing of web forms.

Thank You!

Thanks for helping to keep Hutility and our customers safe. We appreciate the effort.