Responsible disclosure
How to report a vulnerability to Hackfest safely
Thank you for helping us improve security
We take the security of our systems, participants, and community seriously. If you discover a vulnerability or suspicious behaviour related to Hackfest systems or websites, we encourage you to report it to us responsibly so that we can investigate and fix the issue.
How to report a vulnerability
To report a vulnerability, please email us at [email protected] with as much technical detail as possible.
If you prefer to encrypt your message, you can use our public PGP key available at: https://hackfest.ca/pgp-key.txt.
Please avoid using social media or other public channels to share sensitive information about a vulnerability.
- A clear summary of the issue you discovered
- The affected systems, sites, or URLs
- Step-by-step instructions to reproduce the vulnerability
- Any potential impact you anticipate
- Your contact details (name or handle, contact method) if you would like follow-up
Scope
This policy covers systems, subdomains, and services directly operated by Hackfest Communication. Third-party services used by Hackfest may have their own bug bounty or disclosure programs.
If you are unsure whether a system is in scope, mention it in your report and we will clarify as needed.
What we expect from researchers
We welcome responsible disclosure from the community, researchers, government entities, and organizations (e.g. GC.CA, MCN, Gouv.qc.ca, etc.).
To protect our community and systems, we ask that you follow these principles during your testing:
- Avoid actions that negatively impact the availability or integrity of our systems
- Avoid accessing, modifying, or destroying data that does not belong to you
- Minimize the collection of personal data and delete any such data as soon as possible
- Do not exfiltrate data beyond what is strictly necessary to demonstrate the issue
- Do not use vulnerabilities to compromise accounts, sell access, or disrupt the event
Coordinated disclosure
As stated in our security.txt file, please do not publicly disclose the details of a vulnerability until we have had a reasonable opportunity to investigate, remediate the issue, and coordinate any necessary public communication.
We are committed to working with you in good faith to resolve the issue within reasonable timeframes and, where appropriate, to credit you for your contribution (with your consent).
What you can expect from us
When you report a vulnerability to us in good faith, we commit to:
- Acknowledge receipt of your report within a reasonable timeframe
- Assess and prioritise the issue based on its impact and scope
- Work with you to obtain additional details if needed
- Fix the vulnerability in line with its severity and impact
- Coordinate any public disclosure, when needed, in a responsible way
- Not pursue legal action against you for good-faith research conducted under this policy
Recognition
We value the time and effort invested by community members who help strengthen Hackfest’s security. Where appropriate and desired, we may publicly acknowledge researchers who help us identify vulnerabilities.