Due to the nature of the application, DarkHorse is not optimized for mobile devices. Please view it on a desktop or tablet for the best experience.
Disclosure Policy
This page defines our policies as it relates to “disclosing” reports. For the avoidance of confusion, “disclosing” a report is separate from responsibly submitting it to the receiving organization. Disclosing a report is sharing any details of the report (for example, a blog post, telling a friend, etc) outside of the DarkHorse platform.
By submitting reports using DarkHorse, you agree to abide by and be bound to these terms.
However, the receiving organization may request up to three (3) 30 day extensions of this timeline. This request for an extension does not require the consent of the submitting parties, and is generally granted by default. In extenuating circumstances (such as gross negligence), DarkHorse reserves the right to override this request, to grant the tester the right to disclose their finding.
After the maximum of 270 days (180 initial + 3x 30 day extensions), the tester will be free to speak publicly about their report and experience - except in circumstances deemed to be of critical importance by both DarkHorse and the receiving organization. In such cases, at DarkHorse’s discretion, we may prohibit disclosure indefinitely, until we and the receiving organization are confident that it is safe for details to be released. For example, a vulnerability that could result in the loss of life or harm to individuals, but cannot be easily remediated (say, a vulnerability in a pacemaker). In such a case, it may be many additional months to years before that research could be published, as it could be used for nefarious purposes. This designation will be displayed on the report, and an email will be sent informing the tester of this designation around non-disclosure as well. At their discretion, the receiving organization may allow for a sanitized version of the report to be made public. In the event there is a dispute around the relative criticality and prohibition of disclosure, a neutral 3rd party will be brought in to mediate the conversation.
However, reports marked as ‘not applicable’, ‘out-of-scope’, or ‘not reproducible’ are not subject to non-disclosure, as by marking them as such, the receiving organization is designating them as ‘unaccepted’ reports. These (unaccepted) reports to VDP programs may be disclosed fourteen (14) days after their rejection. The purpose of this waiting period is to allow for any re-evaluation or appeal process to run its course, in the event that a report was inadvertently rejected. This 14 day window may be extended to 30 days at the request of the receiving organization, if they feel they need additional time. In the event the report is moved to an accepted or processing state (specifically, any other state than those listed above), the ability to disclose the report is paused indefinitely, until it reaches a final state. If the report is later moved again to an unaccepted state, the disclosure timer resumes with a minimum period of three days, as opposed to restarting. As an example, if a report is moved from a “processing” state to an “unaccepted” state and spends a week (7 days) as an unaccepted report, but then gets moved back to processing for a few days, and then back to unaccepted, the disclosure timer at that point in time would have seven (7) days remaining, since it had already been in an unaccepted state for 7 days previously.
Even though consent isn’t required to disclose VDP reports, we strongly, strongly, strongly recommend communicating and coordinating your disclosure with the receiving organization. Everyone stands to benefit when we work together.
However, reports marked as ‘not applicable’, ‘out-of-scope’, or ‘not reproducible’ are not subject to non-disclosure, as by marking them as such, the receiving organization is designating them as ‘unaccepted’ reports. These (unaccepted) reports to public bounty programs may be disclosed fourteen (14) days after their rejection. The purpose of this waiting period is to allow for any re-evaluation or appeal process to run its course, in the event that a report was inadvertently rejected. This 14 day window may be extended to 30 days at the request of the receiving organization, if they feel they need additional time. In the event the report is moved to an accepted or processing state (specifically, any other state than those listed above), the ability to disclose the report is paused indefinitely, until it reaches a final state. If the report is later moved again to an unaccepted state, the disclosure timer resumes with a minimum period of three days, as opposed to restarting. As an example, if a report is moved from a “processing” state to an “unaccepted” state and spends a week (7 days) as an unaccepted report, but then gets moved back to processing for a few days, and then back to unaccepted, the disclosure timer at that point in time would have seven (7) days remaining, since it had already been in an unaccepted state for 7 days previously.
By submitting reports using DarkHorse, you agree to abide by and be bound to these terms.
Vulnerability Disclosure Programs (VDPs)
The default timeline for any report made to a VDP is 180 days. Meaning that if you submit a report on day 1, on day 181, you may freely talk about this report in whatever medium you choose.However, the receiving organization may request up to three (3) 30 day extensions of this timeline. This request for an extension does not require the consent of the submitting parties, and is generally granted by default. In extenuating circumstances (such as gross negligence), DarkHorse reserves the right to override this request, to grant the tester the right to disclose their finding.
After the maximum of 270 days (180 initial + 3x 30 day extensions), the tester will be free to speak publicly about their report and experience - except in circumstances deemed to be of critical importance by both DarkHorse and the receiving organization. In such cases, at DarkHorse’s discretion, we may prohibit disclosure indefinitely, until we and the receiving organization are confident that it is safe for details to be released. For example, a vulnerability that could result in the loss of life or harm to individuals, but cannot be easily remediated (say, a vulnerability in a pacemaker). In such a case, it may be many additional months to years before that research could be published, as it could be used for nefarious purposes. This designation will be displayed on the report, and an email will be sent informing the tester of this designation around non-disclosure as well. At their discretion, the receiving organization may allow for a sanitized version of the report to be made public. In the event there is a dispute around the relative criticality and prohibition of disclosure, a neutral 3rd party will be brought in to mediate the conversation.
However, reports marked as ‘not applicable’, ‘out-of-scope’, or ‘not reproducible’ are not subject to non-disclosure, as by marking them as such, the receiving organization is designating them as ‘unaccepted’ reports. These (unaccepted) reports to VDP programs may be disclosed fourteen (14) days after their rejection. The purpose of this waiting period is to allow for any re-evaluation or appeal process to run its course, in the event that a report was inadvertently rejected. This 14 day window may be extended to 30 days at the request of the receiving organization, if they feel they need additional time. In the event the report is moved to an accepted or processing state (specifically, any other state than those listed above), the ability to disclose the report is paused indefinitely, until it reaches a final state. If the report is later moved again to an unaccepted state, the disclosure timer resumes with a minimum period of three days, as opposed to restarting. As an example, if a report is moved from a “processing” state to an “unaccepted” state and spends a week (7 days) as an unaccepted report, but then gets moved back to processing for a few days, and then back to unaccepted, the disclosure timer at that point in time would have seven (7) days remaining, since it had already been in an unaccepted state for 7 days previously.
Even though consent isn’t required to disclose VDP reports, we strongly, strongly, strongly recommend communicating and coordinating your disclosure with the receiving organization. Everyone stands to benefit when we work together.
Private Bounty Programs
Reports made to private bounty programs are never eligible for disclosure, except with the explicit consent of the receiving organization. This includes all reports in all states, including those that are eventually marked as ‘not applicable’, ‘out-of-scope’, or ‘not reproducible’. If the organization agrees to allow disclosure, they also maintain the right to exercise control of the content and location of sharing that information. For example, if someone wishes to publish a blog post on a finding, the receiving organization has the right to evaluate the content of that post and redline any content they believe should be excluded - or they may choose to reject the post in its entirety. One may request permission to disclose the report via messaging the receiving organization, or via comments on the report.Public Bounty Programs
Reports made to public bounty programs are not eligible for disclosure, except with the explicit consent of the receiving organization. If the organization agrees to allow disclosure, they also maintain the right to exercise control of the content and location of sharing that information. For example, if someone wishes to publish a blog post on a finding, the receiving organization has the right to evaluate the content of that post and redline any content they believe should be excluded - or they may choose to reject the post in its entirety. One may request permission to disclose the report via messaging the receiving organization, or via comments on the report.However, reports marked as ‘not applicable’, ‘out-of-scope’, or ‘not reproducible’ are not subject to non-disclosure, as by marking them as such, the receiving organization is designating them as ‘unaccepted’ reports. These (unaccepted) reports to public bounty programs may be disclosed fourteen (14) days after their rejection. The purpose of this waiting period is to allow for any re-evaluation or appeal process to run its course, in the event that a report was inadvertently rejected. This 14 day window may be extended to 30 days at the request of the receiving organization, if they feel they need additional time. In the event the report is moved to an accepted or processing state (specifically, any other state than those listed above), the ability to disclose the report is paused indefinitely, until it reaches a final state. If the report is later moved again to an unaccepted state, the disclosure timer resumes with a minimum period of three days, as opposed to restarting. As an example, if a report is moved from a “processing” state to an “unaccepted” state and spends a week (7 days) as an unaccepted report, but then gets moved back to processing for a few days, and then back to unaccepted, the disclosure timer at that point in time would have seven (7) days remaining, since it had already been in an unaccepted state for 7 days previously.