Hack Club Security Program
Hi! I’m Allen and I’m Echo. We are running the security bounty program for Hack Club. Thank you for your help in keeping Hack Club secure!
We both have backgrounds in earning security bounties and are excited to bring this to Hack Club.
- Allen earned a $20k bounty for a Chromium bug.
- Echo participated in the Coinbase Security Bounty Program.
We are currently working on a new version of the security bounty program. This new version will have better refined severity definitions and a more comprehensive program structure. We are excited to share this with you soon! Until then, we still accept submissions for all programs.
Participating Programs
All Hack Club programs are under this security program. Here are a highlights of programs that are currently participating in the security bounty program:
HCB
Fiscal sponsorship platform for student organizations and non-profits
Hack Club Website
Main homepage for Hack Club
Moonshot
You and 100 Hack Clubbers will fly to Orlando, Florida, December 12–15.
Blueprint
Design a hardware project, and we'll pay for hardware to build it!
Shiba
Make a game. Build an arcade in Tokyo.
Clubs
Hack Club's coding club network of over 900+ clubs worldwide
Summer of Making
Hack Club's Flagship Summer event for 2025
Hackatime
Hack Club's in-house time tracking software
Hack Club Identity
Hack Club's Identity Verification Platform, also known as Identity Vault
PII Severity Definitions
One thing we have a lot here at Hack Club is information, and we want to make sure that it is well protected. We have defined the severity of the information based on how much it could be used to harm someone.
Critical
- • Government-issued ID
- • Identity verification documents
High Severity
- • Physical address
Medium Severity
- • Private email address on Hack Club platforms
- • Phone numbers
- • Birthday or age
Low Severity
- • IP addresses
- • Legal names
- • Non-public program information
We define a leak as any person who has not signed a Hack Club NDA having access to the above data due to our systems failing to keep it safe. If the user self-declares any information covered in these tiers, it is not considered a vulnerability.
Payout Tiers
As a thank you for helping us keep Hack Club secure, we are offering bounties for finding vulnerabilities in our systems. The payouts are based on the severity of the vulnerability and the impact it has on our users.
PII Bounty Tiers
Remote Code Execution
Other Vulnerabilities
Bonus
Out of Scope
When reporting vulnerabilities, please consider attack scenario, and potential impact of the bug. Also note that any program not participating in this program is out of scope. While you are welcome to report issues regarding them, you are not guaranteed a payout. The following issues are generally considered to be out of scope (not an complete list):
- Scraping public Slack information or account enumeration
- Brute force attacks
- Clickjacking without significant impact
- Automated scanner outputs without real-world impact
- Social engineering or phishing attacks
- Self-exploitation requiring user interaction
- Denial of Service causing resource exhaustion
- Exploits related to the Slack platform that are out of our control
Notice for AI Generated Reports
Bounty programs have seen AI-generated submissions that lack any real-world impact. While the use of AI as a tool to help improve your report is allowed, submissions that are entirely AI-generated with no original researcher input will not be accepted. We are looking for original research with real-world impact. AI should support your research, not replace it.
How to Report
Submit vulnerabilities via this site, and we will pursue further contact via email
Submit Report →Payout Options
If these payout options do not work, we will try our best to figure out the best possible way to award you. The program in which the vulnerability is found will cover the cost of the payout.