Trust CenterVulnerability Disclosure

Vulnerability Disclosure

Help Us Build
a Safer Future

We believe that security is a shared responsibility. If you discover a vulnerability in Harch Corp systems, we want to work with you to fix it. Our bug bounty program rewards responsible disclosure.

Process

5-Step Reporting Process

Our vulnerability disclosure process is designed to be straightforward, responsive, and fair. We respect researchers who help us improve.

01

Identify the Vulnerability

Discover a potential security vulnerability in Harch Corp systems, applications, or infrastructure. Document the issue with clear reproduction steps, affected endpoints, and potential impact.

Identify the specific system or service affected
Document the vulnerability type (XSS, SQLi, RCE, etc.)
Prepare proof-of-concept demonstrating the issue
Assess the potential impact and severity
02

Report Securely

Ack: <24hrs

Submit your findings to security@harchcorp.com. For sensitive vulnerabilities, encrypt your report using our PGP key. Include your contact information for follow-up and bounty coordination.

Email: security@harchcorp.com
PGP Key available on our security page
Include: vulnerability description, steps to reproduce, impact assessment
Optional: your preferred contact method for follow-up
03

Validation & Triage

Triage: <72hrs

Our security team acknowledges receipt within 24 hours and provides an initial severity assessment within 72 hours. You will be assigned a dedicated security engineer as your point of contact.

Acknowledgment within 24 hours
Initial triage and severity assessment within 72 hours
Dedicated security engineer assigned to your case
Regular status updates throughout the process
04

Remediation

We develop, test, and deploy a fix. You may be asked to verify the remediation. We keep you informed of progress and expected timelines throughout the remediation process.

Fix development with security review
Testing in staging environment
Deployment to production
Verification by reporting researcher (optional)
05

Recognition & Reward

Once the vulnerability is confirmed and remediated, eligible researchers receive bounty rewards and are added to our Hall of Fame. We publicly disclose the vulnerability after a coordinated timeline.

Bounty payment within 30 days of remediation
Hall of Fame listing (with your permission)
Coordinated public disclosure timeline
Optional: invitation to Harch Corp security events

Scope

Scope & Rules

Clear boundaries ensure productive collaboration. These guidelines protect both our systems and our researchers.

In Scope

Eligible for bounty rewards

HarchOS platform and control plane (*.harchcorp.com)

Harch Corp customer-facing web applications

Harch Intelligence data center management APIs

Harch Energy monitoring and control systems (external interfaces only)

Mobile applications published by Harch Corp

Authentication and SSO endpoints

Customer portal and billing interfaces

Public-facing API endpoints (api.harchcorp.com)

Out of Scope

Not eligible for bounty rewards

Social engineering or phishing attacks

Denial of Service (DoS/DDoS) attacks

Physical attacks against data center facilities

Attacks requiring insider access or compromised credentials

Vulnerabilities in third-party services not controlled by Harch Corp

Issues in out-of-date browsers or plugins

Clickjacking on pages without sensitive actions

Information disclosure from HTTP headers (server version, etc.)

Rate limiting or brute force on non-authentication endpoints

Rules of Engagement

Play by the Rules

These rules protect our users, our systems, and you. Violations may result in disqualification from the bounty program.

Act in Good Faith

Do not access, modify, or delete other users' data. Minimize impact to Harch Corp systems and users. Stop testing immediately if you discover sensitive data.

No Public Disclosure Before Fix

Do not publicly disclose the vulnerability before we have had a reasonable time to remediate. We commit to transparent timelines and will coordinate disclosure with you.

One Report Per Vulnerability

Submit one vulnerability per report. Duplicate reports for the same issue will be credited to the first reporter. Provide enough detail for our team to reproduce the issue.

Responsible Testing Only

Only test for vulnerabilities you intend to report. Do not use automated scanners to brute-force or flood our systems. Use the principle of least privilege in your testing.

Preserve Evidence

Do not destroy or alter evidence. Document all steps taken and data accessed. Provide a clear timeline of your research activities.

No Extortion or Demands

Do not demand payment, threaten public disclosure, or attempt to extort Harch Corp. We operate our bounty program in good faith and expect the same from researchers.

Rewards

Bounty Program

We reward security researchers who help us identify and fix vulnerabilities. Rewards are based on severity, impact, and quality of the report.

Critical

$10,000 — $25,000

Per vulnerability

Swag Pack
Hall of Fame

Examples: Remote code execution, database extraction, authentication bypass

High

$5,000 — $10,000

Per vulnerability

Swag Pack
Hall of Fame

Examples: Privilege escalation, significant data exposure, SSRF with internal access

Medium

$2,000 — $5,000

Per vulnerability

Swag Pack
Hall of Fame

Examples: Stored XSS, CSRF on critical actions, information disclosure

Low

$500 — $2,000

Per vulnerability

Hall of Fame

Examples: Reflected XSS, open redirect, minor information disclosure

Recognition

Hall of Fame

Security researchers who have responsibly disclosed vulnerabilities and helped make Harch Corp more secure. We are grateful for your contributions.

Awaiting First Submissions

Our bug bounty program is now active. Be among the first security researchers recognized on this page. Submit your findings to security@harchcorp.com.

Submit a Report

Found a Vulnerability?

Report it to our security team. We commit to acknowledging within 24 hours and triaging within 72 hours.

security@harchcorp.com