Security
Responsible disclosure guidance, public testing scope and security boundaries for HackVaults.
Report a Vulnerability
Send security reports to [email protected]. Include the affected URL, reproduction steps, expected impact, screenshots or logs where useful, and the time you observed the issue.
Scope
The public scope is hackvaults.com and HackVaults-owned subdomains. The private owner surfaces, credentials workflows, and agent/session control routes are access-controlled and must not be probed beyond normal authorized use.
Rules of Engagement
- Do not access, modify, delete, copy, or disclose private data.
- Do not perform denial-of-service, spam, social engineering, or physical attacks.
- Do not test destructive credential, payment, or production-secret paths.
- Stop immediately if you encounter secrets or personal data and report the finding.
Platform Boundaries
HackVaults includes private owner surfaces for operator HUDs, local agent/session control and credentials workflows. These are administrative systems, not public APIs. They must not receive third-party personal raw data through consumer LLM paths unless the legal basis, processor setup and technical safeguards have been reviewed first.
Secrets
Production credentials are not managed as plaintext application data. The stack uses encrypted vault files, CI checks against plaintext-looking secret files and runtime-only secret injection for services that need credentials. Test fixtures that are fake or throwaway material are labelled as such in code and docs.
Response
Reports are triaged by severity and reproducibility. HackVaults does not operate a public bug bounty program unless explicitly agreed in writing before testing. Privacy information is available in the privacy notice.