Vulnerability Disclosure Policy
Hardline welcomes responsible vulnerability reports from security researchers, customers, and partners.
This policy applies to Hardline-owned systems and services, including:
hardlineapp.comand Hardline marketing propertiesapp.hardlineapp.comapi.hardlineapp.com- Hardline mobile applications
- Hardline-managed subdomains and infrastructure
How to report
Section titled “How to report”Email:
security@hardlineapp.comPlease include:
- A clear description of the issue
- Steps to reproduce
- Affected endpoint, app, page, or component
- Potential impact
- Your contact information
- Any suggested remediation
Do not include more customer data than necessary to demonstrate the vulnerability.
Response targets
Section titled “Response targets”| Phase | Target |
|---|---|
| Acknowledge receipt | Within 48 hours |
| Initial triage | Within 5 business days |
| Remediation | Based on severity and complexity |
| Disclosure coordination | After fix deployment or by mutual agreement |
Safe harbor
Section titled “Safe harbor”Hardline will not pursue legal action against good-faith researchers who:
- Avoid privacy violations and data destruction
- Do not exfiltrate customer data
- Do not disrupt or degrade service availability
- Report the issue promptly
- Give Hardline reasonable time to investigate and remediate before public disclosure
Out of scope
Section titled “Out of scope”The following are out of scope:
- Social engineering
- Physical attacks
- Denial-of-service testing
- Spam or phishing
- Vulnerabilities in third-party services not controlled by Hardline
- Reports that require stolen credentials or unauthorized access to private accounts
Recognition
Section titled “Recognition”Hardline does not currently operate a paid bug bounty program. With permission, Hardline may credit researchers who responsibly report valid vulnerabilities.