Security

Responsible Disclosure Policy

We believe in responsible disclosure and value the security research community's efforts.

Our Commitment

H3X Security Labs is committed to maintaining the security and privacy of our systems and our clients' data. We welcome reports from security researchers and the broader community about potential vulnerabilities in our systems.

Scope

This policy applies to the following systems and services:

  • h3x.cat and all subdomains
  • H3X Security Labs infrastructure
  • Client-facing applications and platforms
  • API endpoints

Guidelines

When researching vulnerabilities, we ask that you:

  • Make every effort to avoid privacy violations, data destruction, and service disruption
  • Only interact with accounts you own or with explicit permission from the account holder
  • Do not exploit a security vulnerability beyond what is necessary to demonstrate it
  • Give us reasonable time to respond to your report before making public any information about the vulnerability
  • Do not use automated scanners or tools that may impact system availability

How to Report

If you believe you've found a security vulnerability, please report it to us by:

  • Email: security@h3x.cat (PGP key available upon request)
  • Subject line: "Security Vulnerability Report - [Brief Description]"

Include in Your Report:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Any relevant screenshots, proof-of-concept code, or supporting material
  • Your contact information for follow-up

Our Response Process

  1. Acknowledgment: We will acknowledge receipt of your report within 48 hours
  2. Assessment: Our security team will assess the vulnerability and determine its severity
  3. Communication: We will keep you informed about our progress in addressing the issue
  4. Resolution: We will work to remediate valid vulnerabilities in a timely manner
  5. Recognition: With your permission, we will credit you in our Hall of Fame

Safe Harbor

We consider security research and vulnerability disclosure activities conducted in accordance with this policy to constitute "authorized" conduct under applicable computer fraud and abuse laws. We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.

Recognition

We appreciate the efforts of security researchers who help us maintain our security posture. Researchers who report valid vulnerabilities will be recognized in our Security Hall of Fame (with your permission) and may be eligible for rewards based on the severity and impact of the vulnerability.

Out of Scope

The following are explicitly excluded from this program:

  • Denial of Service (DoS/DDoS) attacks
  • Social engineering attacks against our employees or contractors
  • Physical security testing
  • Third-party applications or services not directly controlled by H3X
  • Vulnerabilities in outdated browsers or platforms
  • Issues that require unlikely user interaction

Contact

For questions about this policy, please contact us at security@h3x.cat

Last Updated: September 30, 2025