ThreatDown Responsible Disclosure Program Guidelines

Responsible vs non-responsible disclosure

From our experience (a) disclosure of proof of concept exploit code, (b) unnecessary details to get the point across or (c) releasing vulnerability details prior to availability of a fix represents non-responsible disclosure which does more harm than good as it brings unnecessary attention to a security issue. Therefore, the ThreatDown CVD program will only award bug bounties to reporters who follow responsible disclosure guidelines.

What do we mean by Bug Bounty?

ThreatDown offers cash bug bounties for the most interesting bugs. The amount awarded for interesting bugs depends on the bug severity and exploitability. However, ThreatDown reserves the right to increase this amount on a per case basis.

What confidentiality obligations do I take on by providing a submission?

If you send us a submission for this program, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless ThreatDown makes that code generally publicly available or you are required by law to disclose it. This does not prevent you from discussing the vulnerability or showing the effects of the exploit in code.

What types of vulnerabilities does the CVD program accept?

Please follow our program guidelines on the HackerOne platform.

Last edited January 9, 2026