Applies to www.h-x.technology and public sub-sites
Last updated 17 September 2025
0. Background.
We’re penetration testers ourselves. To date, we have not encountered any serious vulnerabilities on our public sites. However, like everyone else, we get contacted by individuals occasionally report minor issues and request rewards. That’s why we wrote this policy.
1. Summary.
Our public website contains no confidential data, is protected by Cloudflare, and is backed up regularly via multiple methods. We reward only those vulnerabilities that can realistically affect the integrity or availability of the site. Reward amounts are capped by our reasonable restoration cost from backups.
2. In scope.
Public web resources under the h-x.technology domain that we control and that serve our public website.
3. Out of scope.
Internal systems, client infrastructure, third-party services or providers, and any domains or subdomains we do not control.
4. What we pay for.
New to us, reproducible vulnerabilities that, without artificial preconditions, can directly impact site integrity or site availability.
5. What we do not pay for.
Informational headers. Missing or non-ideal CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, HSTS where no practical impact is shown.
Framing and clickjacking. Our pages embedded on third-party sites or clickjacking on another domain without the ability to trigger a harmful action on our site.
Noise from scanners. Automated scanner output without manual validation and demonstrated impact.
Passive disclosures. Version banners, stack fingerprints, open directories of public static files, or DNS trivia without exploitation.
TLS and crypto minutiae. Cipher suite preferences or protocol compatibility issues without a practical attack path.
Open redirects. Links that require explicit user interaction and do not compromise our site.
CORS configuration. Broad CORS on static assets without privileged endpoints exposure.
SEO or UX items. Typos, broken links, mixed content without exploitation, or general best-practice comments.
Social engineering. Phishing, vishing, or findings that require deceiving staff or users.
Third-party issues. Cloudflare, hosting, email, analytics or other external platforms.
Duplicates or known issues. Reports for problems we already knew about or had under remediation.
6. Testing rules.
Care. Do not degrade service or user experience.
No destructive load. Do not run DoS, brute-force, or heavy scans without our written approval and a scheduled window.
Minimization. Do not access or retain more than the minimum data required to prove the issue.
Boundaries. No social engineering, no spam, no physical access, no attacks against third parties.
7. Report requirements.
Essentials. Clear vulnerability description and why it affects integrity or availability.
Reproduction. Step-by-step instructions with the fewest possible preconditions.
Evidence. PoC, screenshots, short video, and logs demonstrating impact.
Scope. Exact domains and paths and why they are ours.
Fix hints. Concise, realistic remediation suggestions.
8. Process.
Submission. Use the form below.
Acknowledgment. We aim to respond within 7 business days with status and next steps.
Fix window. We typically coordinate disclosure within up to 90 days, earlier when possible.
NDA. Before sharing technical details beyond a high-level summary, researchers sign our NDA using a Qualified Electronic Signature (QES) under eIDAS from an EU Trusted List provider (EUTL) or a Ukrainian qualified e-signature (КЕП) from an accredited provider.
9. Rewards.
Basis. Rewards reflect verified impact and the cost and time to restore service from backups.
Tiers.
• High impact. Ability to alter or delete content without credentials, mass redirect of visitors, practical origin bypass enabling sustained DoS. Up to 100 USD.
• Medium impact. Limited content alteration or short outage with minimal traffic, privilege escalation to content-editing roles. Up to 50 USD.
• Low impact. Potential but not convincingly demonstrated effect, or requiring unlikely preconditions. Up to 20 USD.
Payment. SEPA transfer, a common payment platform, or cryptocurrency upon mutual agreement. On request, we can issue a letter of appreciation or reference instead.
Taxes. Researchers handle their own tax obligations.
10. Examples that qualify.
Unauthorized content alteration without admin access.
Deletion or corruption of posts or media, or bulk redirect manipulation.
Privilege escalation that grants editorial control.
Practical Cloudflare origin bypass with demonstrated sustained DoS capability.
Reproducible application-layer DoS that takes the site down with small input.
11. How the site is protected.
Public content only. The site hosts marketing and educational materials and no confidential data.
Defense in depth. Cloudflare WAF, caching, and rate limiting protect edge traffic; origin IP is restricted.
Operational controls. Regular multi-location backups and tested restoration procedures minimize mean-time-to-recover (MTTR).
Change hygiene. CI/CD with least-privilege access and multi-factor authentication for administration.
12. Legal and safe harbor.
Good faith. If you follow this policy, act proportionally, avoid harming users, and report promptly, we will not pursue legal action for your research activities on our in-scope assets.
No employment. Participation creates no employment or contractor relationship.
Discretion. Final decisions on validity and reward amounts remain with H-X Technologies.
Policy changes. We may update this policy; the version on our website at the time of your submission applies.
Practical pricing scenarios
• Mass redirect via a vulnerable plugin remediated within 1–2 hours. 80–100 USD.
• Editor-to-admin privilege escalation without RCE resolved in 1–2 hours. 50–80 USD.
• Origin bypass enabling sustained DoS with firewall changes and IP rotation in 2–3 hours. 80–100 USD.
• Stored XSS that affects admin only upon interaction and enables content change. 30–50 USD.
• Low-reliability app-layer DoS mitigated with caching or query tuning in ≤60 minutes. 20–30 USD.
• Any item listed as out of scope or not payable. 0 USD with thanks.
Privacy and Confidentiality Policy