Vulnerability Disclosure
How to report security vulnerabilities in HelloJohn responsibly, and what to expect in response.
Vulnerability Disclosure
We take the security of HelloJohn seriously. If you discover a security vulnerability, we want to know about it so we can fix it as quickly as possible.
Reporting a vulnerability
Please do not report security vulnerabilities through public GitHub issues.
Instead, email us at security@hellojohn.dev.
You can also report via our HackerOne program (invite-only at this time — contact us for access).
What to include
A helpful report includes:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any proof-of-concept code or screenshots
- Your assessment of the CVSS severity (optional)
- Whether you'd like to be credited in the security advisory
Encryption
For sensitive reports, encrypt your email with our PGP key:
Key ID: 0xABCDEF1234567890
Fingerprint: ABCD EF12 3456 7890 ABCD EF12 3456 7890 ABCD EF12Download: hellojohn.dev/security/pgp-key.asc
What happens next
| Timeline | Action |
|---|---|
| 24 hours | We acknowledge receipt of your report |
| 72 hours | We provide an initial assessment (confirmed, not confirmed, or needs more info) |
| 7–14 days | We develop and test a fix |
| 14–30 days | We release the fix and publish a security advisory |
| After release | We credit you in the advisory (if desired) |
We follow coordinated disclosure: we ask that you give us 90 days to fix the issue before public disclosure. We will work with you to agree on a disclosure timeline.
Scope
In scope
- HelloJohn API — authentication endpoints, admin API, token handling
- HelloJohn SDKs — JavaScript, React, Node.js, Go, Python
- HelloJohn Cloud — cloud.hellojohn.dev, the admin dashboard
- HelloJohn OSS — the open-source server and its dependencies
Out of scope
- Rate limiting and spam (unless they enable account takeover)
- Missing security headers that don't have a practical exploit
- Theoretical vulnerabilities without proof of concept
- Issues in dependencies that haven't been incorporated into HelloJohn
- Social engineering of HelloJohn employees
- Physical security attacks
- Denial of service attacks against HelloJohn Cloud infrastructure
Bug bounty
HelloJohn runs a private bug bounty program. We reward valid, in-scope vulnerability reports:
| Severity | CVSS Range | Reward |
|---|---|---|
| Critical | 9.0–10.0 | $1,000–$5,000 |
| High | 7.0–8.9 | $300–$1,000 |
| Medium | 4.0–6.9 | $100–$300 |
| Low | 0.1–3.9 | Swag + recognition |
Reward amounts depend on severity, exploitability, and impact. We reserve the right to award higher amounts for exceptional reports.
To be eligible for a bounty:
- Report via email or HackerOne (not public channels)
- Be the first to report the vulnerability
- Follow responsible disclosure guidelines
- Do not access or modify user data beyond what is necessary to demonstrate the issue
Safe harbor
We will not take legal action against researchers who:
- Act in good faith and follow responsible disclosure
- Do not access data beyond what is necessary to confirm the vulnerability
- Do not exploit the vulnerability for personal gain
- Do not perform denial of service attacks
- Do not violate the privacy of HelloJohn users
Security advisories
Published security advisories are available at:
Subscribe to GitHub security advisories to receive notifications when new vulnerabilities are disclosed.
Self-hosted security notifications
If you run a self-hosted HelloJohn instance, watch the GitHub repository for security releases:
- Go to github.com/hellojohn/hellojohn
- Click Watch → Custom → check Security alerts and Releases
Critical security releases are published to the hellojohn-security mailing list — subscribe for immediate notifications.
Hall of fame
We recognize researchers who have responsibly disclosed valid vulnerabilities:
| Researcher | Vulnerability | Date |
|---|---|---|
| — | — | — |
Be the first!
Contact
For security concerns: security@hellojohn.dev
For general questions: support@hellojohn.dev