Hearth Responsible Security Disclosure Policy
Last updated: February 2026
Purpose
Hearth is committed to maintaining the security, integrity, and availability of its systems and protecting the data of our customers and partners. We welcome responsible security research and encourage the private disclosure of potential vulnerabilities so they can be assessed and addressed appropriately.
This policy is designed to enable responsible disclosure while ensuring Hearth and its stakeholders are protected from coercion, extortion, or misuse of security findings.
Scope
This policy applies to security vulnerabilities discovered in Hearth owned applications, services, and infrastructure.
This policy does not apply to third party services, customer environments, physical security testing, social engineering, or systems not owned or controlled by Hearth.
How to Report a Vulnerability
Suspected security vulnerabilities should be reported privately to:
Reports should include sufficient detail to allow Hearth to understand, reproduce, and assess the issue.
Public disclosure of any vulnerability without Hearth’s prior written consent is not permitted.
Responsible Disclosure Expectations
Researchers must act in good faith and comply with the following principles:
- Limit testing to what is necessary to demonstrate the vulnerability
- Do not access, modify, delete, or exfiltrate customer or internal data
- Do not disrupt services or conduct denial of service testing
- Do not threaten public disclosure, regulatory reporting, customer notification, or reputational harm
- Do not request, demand, or attempt to negotiate payment
- Do not apply pressure related to timelines, severity classification, or remediation decisions
Any attempt to coerce, extort, or pressure Hearth will result in immediate disqualification and may lead to legal action.
Vulnerability Classification
All reported issues are evaluated and classified by Hearth based on internal risk assessment criteria, including potential impact to confidentiality, integrity, and availability.
Only vulnerabilities that are classified by Hearth as severe or critical may be considered for a bug bounty.
Classification decisions are made solely by Hearth and are final.
Bug Bounty Eligibility
Hearth may, at its sole discretion, offer a one time bug bounty of up to USD $1,000 for a qualifying vulnerability that:
- Is previously unknown to Hearth
- Is valid and reproducible
- Meets Hearth’s severity threshold
- Is reported responsibly and privately
- Is disclosed without coercion or pressure
- Is determined to be in the best interests of Hearth
Any bounty award is discretionary, subject to internal approval, and non negotiable.
No Obligation or Guarantee
Submission of a vulnerability report does not create any entitlement, obligation, or expectation of payment.
Hearth retains sole discretion to determine:
- Whether a vulnerability qualifies for a bounty
- The severity classification
- The bounty amount, if any
- Remediation priority and timing
No contract or obligation is formed by participation in this program.
Legal Safe Harbor
If you comply with this policy and act in good faith, Hearth will not pursue legal action for the act of reporting a vulnerability itself.
This safe harbor does not apply to actions involving extortion, excessive access, data misuse, service disruption, or violations of applicable law.
Hearth Commitment
Hearth commits to:
- Acknowledge receipt of valid reports
- Investigate responsibly disclosed vulnerabilities
- Prioritize remediation based on risk
- Communicate appropriately with reporters when possible
All remediation and disclosure decisions remain solely with Hearth.
Policy Updates
This policy may be updated at any time. Continued participation constitutes acceptance of the current version.
