Security First

Vulnerability Disclosure
Program

At HADESS, security is in our DNA. We partner with the security research community to identify and fix vulnerabilities. Valid reports are recognized in our Hall of Fame.

Report a VulnerabilityHall of Fame

Vulnerability Disclosure Policy

HADESS is committed to the security of our platform and the data of our users. We welcome contributions from the security research community to help us identify potential vulnerabilities. This Vulnerability Disclosure Policy (VDP) outlines the rules of engagement and our commitment to working with researchers in good faith.

Report To

[email protected]

PGP Encryption

Available upon request

Response Time

Within 24-48 hours

Scope

In Scope

career.hadess.io

Main platform (web application)

career.hadess.io/api/*

All REST API endpoints

Authentication flows

OAuth, session management, login/logout

Payment processing

Stripe and crypto payment integrations

User data handling

Profile, resume, and career data processing

Out of Scope

Denial of Service (DoS/DDoS) attacks
Social engineering or phishing attacks
Physical security attacks
Vulnerabilities in third-party services (Google OAuth, Stripe)
Automated scanning without prior approval
Attacks against other users' accounts without authorization
Spam or content quality issues
Missing rate limiting on non-sensitive endpoints
Clickjacking on non-sensitive pages
Self-XSS or issues requiring unusual user interaction

Severity Levels & Recognition

Critical
Response: 24 hoursRecognition: Hall of Fame + Special Mention
Remote Code Execution (RCE)
SQL Injection leading to full database access
Authentication bypass on admin endpoints
Server-Side Request Forgery (SSRF) with internal access
High
Response: 48 hoursRecognition: Hall of Fame + Acknowledgment
Stored Cross-Site Scripting (XSS) in user content
Insecure Direct Object Reference (IDOR) exposing user data
Privilege escalation from user to admin
API key or token leakage in responses
Medium
Response: 5 business daysRecognition: Hall of Fame
Reflected XSS in URL parameters
Cross-Site Request Forgery (CSRF) on state-changing actions
Information disclosure of internal paths or configs
Session fixation or improper session handling
Low
Response: 10 business daysRecognition: Acknowledgment
Missing security headers (non-exploitable)
Verbose error messages revealing stack traces
Open redirect with limited impact
Cookie without secure/httpOnly flags

Rules of Engagement

Do Not Access User Data

Do not access, modify, or delete data belonging to other users. Create test accounts for testing.

Minimize Impact

Avoid actions that could degrade service availability. Stop testing if you discover credentials or sensitive data.

Responsible Disclosure

Give us 90 days to address the vulnerability before public disclosure. We may request extensions for complex issues.

Legal Safe Harbor

We will not pursue legal action against researchers who comply with this policy and act in good faith.

How to Report

Send your vulnerability report to [email protected] with the following information:

01

Vulnerability Type

Classify the vulnerability (XSS, SQLi, IDOR, RCE, etc.)

02

Affected Component

URL, API endpoint, or feature where the vulnerability exists

03

Steps to Reproduce

Clear, step-by-step instructions to reproduce the issue

04

Proof of Concept

Screenshots, HTTP requests/responses, or video demonstration

05

Impact Assessment

Describe the potential impact and affected users/data

06

Suggested Fix

Optional but appreciated: your recommendation for remediation

Hall of Fame

View our security researchers who have helped make HADESS safer