{"componentChunkName":"component---src-templates-article-template-js","path":"/blog/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP/","result":{"data":{"allWebMentionEntry":{"edges":[]}},"pageContext":{"article":{"id":"094e664a-1bcc-5567-a9db-11b19238ae67","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"CRA-ready vulnerability disclosure with Hackrate managed VDP\",\n  \"description\": \"This article looks at how organizations can start preparing their vulnerability disclosure handling for the Cyber Resilience Act, and how Hackrate managed VDP can support that work. It may be useful for teams that want a clearer, more structured way to manage external vulnerability reports.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-05-15T09:00:00.000Z\",\n  \"image\": \"/img/blog/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png\",\n  \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"The Cyber Resilience Act makes vulnerability handling a regulated product security process for manufacturers of products with digital elements. Hackrate managed VDP helps organizations build a clear external reporting channel before CRA deadlines arrive.\"), mdx(\"h2\", {\n    \"id\": \"why-vulnerability-disclosure-matters-under-the-cra\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-vulnerability-disclosure-matters-under-the-cra\",\n    \"aria-label\": \"why vulnerability disclosure matters under the cra permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why vulnerability disclosure matters under the CRA\"), mdx(\"p\", null, \"The Cyber Resilience Act, Regulation (EU) 2024/2847, introduces cybersecurity requirements for products with digital elements placed on the EU market. It applies to a broad range of software and hardware products, including connected products, applications, embedded systems, and certain remote data processing components. The CRA entered into force on 10 December 2024. Its main obligations apply from 11 December 2027, while Article 14 reporting obligations apply earlier, from 11 September 2026.\"), mdx(\"p\", null, \"For manufacturers, the practical message is simple: vulnerability handling becomes part of product compliance.\"), mdx(\"p\", null, \"The CRA does not only ask whether a product was secure when it was released. It expects manufacturers to handle vulnerabilities during the product support period. This includes receiving vulnerability information, assessing technical impact, taking corrective or mitigating measures, documenting the process, and escalating reports that may trigger regulatory reporting.\"), mdx(\"p\", null, \"A Vulnerability Disclosure Program is one of the most practical ways to establish this capability. It gives external researchers, ethical hackers, customers, partners, and other third parties a clear way to report security issues. But for CRA readiness, a VDP must be more than a policy page. It must be connected to validation, remediation, documentation, and decision-making.\"), mdx(\"p\", null, \"A vulnerability disclosure policy, a responsible disclosure program, and coordinated vulnerability disclosure describe the same basic operating model: an external party reports a vulnerability to the organization and the organization validates and remediates the issue. In this article, VDP is used as the practical term for that.\"), mdx(\"p\", null, \"There are 2 dates that matter for vulnerability disclosure planning.\"), mdx(\"p\", null, \"11 September 2026 is when Article 14 reporting obligations start to apply. From this date, manufacturers must report actively exploited vulnerabilities contained in products with digital elements and severe incidents that affect the security of those products.\"), mdx(\"p\", null, \"11 December 2027 is when the main CRA obligations apply. This includes the wider product conformity framework and the vulnerability handling requirements in Annex I.\"), mdx(\"h2\", {\n    \"id\": \"the-operational-problem-companies-need-to-solve\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#the-operational-problem-companies-need-to-solve\",\n    \"aria-label\": \"the operational problem companies need to solve permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"The operational problem companies need to solve\"), mdx(\"p\", null, \"Many organizations still rely on a security email address, informal contacts, support tickets, or fragmented internal workflows to receive vulnerability information.\"), mdx(\"p\", null, \"That model is weak for CRA readiness.\"), mdx(\"p\", null, \"A mailbox can receive a report, but it does not create a controlled vulnerability handling process. It does not define what information researchers should submit. It does not validate whether the report is real. It does not filter spam, duplicates, incomplete submissions, or non-security issues. It does not assess exploitability or product impact. It does not automatically create evidence for compliance teams.\"), mdx(\"p\", null, \"This is the gap Hackrate managed VDP is designed to close.\"), mdx(\"h2\", {\n    \"id\": \"what-a-cra-ready-vulnerability-disclosure-process-should-do\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-a-cra-ready-vulnerability-disclosure-process-should-do\",\n    \"aria-label\": \"what a cra ready vulnerability disclosure process should do permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What a CRA-ready vulnerability disclosure process should do\"), mdx(\"p\", null, \"A CRA-ready process should support the full path from external report to internal decision.\"), mdx(\"p\", null, \"It should help the organization:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Receive vulnerability reports through a clear channel.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Collect the technical information needed for triage.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Validate whether the report is relevant, in scope, understandable, and technically credible.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Assess potential impact, exploitability, and prioritization.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Communicate professionally with the external reporter.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Provide internal teams with actionable technical information.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Support escalation to security, product, engineering, legal, and compliance teams.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Preserve a traceable record of intake, validation, communication, assessment, remediation input, and closure.\")), mdx(\"p\", null, \"This is where a managed VDP becomes valuable. It turns external vulnerability reporting from an unmanaged intake point into a controlled workflow.\"), mdx(\"h2\", {\n    \"id\": \"how-hackrate-managed-vdp-helps\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#how-hackrate-managed-vdp-helps\",\n    \"aria-label\": \"how hackrate managed vdp helps permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"How Hackrate managed VDP helps\"), mdx(\"p\", null, \"Hackrate managed VDP combines the Hackrate Ethical Hacking Platform with managed vulnerability report handling by Hackrate security experts. The service focuses on external vulnerability reports submitted by ethical hackers, researchers, or other external parties. The platform can also support centralized vulnerability management and report tracking where the customer wants to use it for that purpose.\"), mdx(\"p\", null, \"Hackrate helps in six practical areas.\"), mdx(\"ol\", null, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Structured external vulnerability intake: Hackrate provides a professional reporting channel where external parties can submit vulnerability reports in a structured format.\")), mdx(\"p\", null, \"The reporting form can be linked from the customer\\u2019s website, security page, or vulnerability disclosure policy page. This gives researchers a clear entry point and helps the customer avoid fragmented reporting through support or unmonitored mailboxes.\"), mdx(\"p\", null, \"A structured report can capture key information such as the affected product, affected asset or component, technical description, reproduction steps, evidence, potential impact, and suggested mitigation. This improves the quality of the submission. This matters because early clarity saves time.\"), mdx(\"ol\", {\n    \"start\": 2\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Report validation and filtering: Hackrate reviews external submissions before they reach the customer\\u2019s internal teams.\")), mdx(\"p\", null, \"This triage step helps determine whether the report is understandable, relevant, in scope, sufficiently documented, and technically credible. It also helps filter incomplete reports, duplicates, irrelevant findings, spam, and non-security submissions.\"), mdx(\"p\", null, \"This is one of the strongest benefits for customers. Internal security and engineering teams should not spend their time processing noise. They should receive validated, actionable findings with enough technical context to decide what happens next.\"), mdx(\"ol\", {\n    \"start\": 3\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Risk and impact assessment: Hackrate assesses the potential severity and impact of validated vulnerability reports.\")), mdx(\"p\", null, \"This assessment may consider confidentiality, integrity, availability, exploitability, attack complexity, likelihood of exploitation, affected product context, and recommended prioritization. The objective is to help the customer understand whether the issue requires routine remediation, urgent attention, or internal escalation for CRA-related assessment.\"), mdx(\"p\", null, \"Hackrate does not make the customer\\u2019s legal or regulatory reporting decision. That remains the responsibility of the manufacturer. Hackrate provides the technical input and documentation that legal, compliance, security, product, and management teams need to make that decision.\"), mdx(\"ol\", {\n    \"start\": 4\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Communication with external reporters: Hackrate manages communication with the external reporter during the validation process. This improves the quality and professionalism of the disclosure experience. Researchers receive structured communication (instead of silence or unclear responses). The customer receives clarification where needed.\")), mdx(\"p\", null, \"Good communication also reduces disclosure risk. Many public conflicts between researchers and companies start because the reporting process is unclear or slow.\"), mdx(\"ol\", {\n    \"start\": 5\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Remediation-oriented technical input: Hackrate provides practical technical input to support remediation or mitigation.\")), mdx(\"p\", null, \"This may include general remediation direction, possible mitigation options, configuration or implementation considerations, prioritization guidance, and security improvement suggestions.\"), mdx(\"p\", null, \"The purpose is not to replace the customer\\u2019s engineering team. The purpose is to give that team better technical context so it can act faster.\"), mdx(\"ol\", {\n    \"start\": 6\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Traceable vulnerability management: The Hackrate Ethical Hacking Platform provides a central environment for vulnerability reporting and handling. This supports traceability across report intake, validation, communication, assessment, remediation input and closure.\")), mdx(\"p\", null, \"This is important because the compliance team needs evidence that the organization has a repeatable process, the security team needs visibility into report status, the engineering team needs actionable findings, and management needs confidence that serious issues are escalated appropriately. Our platform-based workflow helps align those needs.\"), mdx(\"h2\", {\n    \"id\": \"where-cve-support-fits\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#where-cve-support-fits\",\n    \"aria-label\": \"where cve support fits permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Where CVE support fits\"), mdx(\"p\", null, \"CVE support is not the main purpose of a CRA-ready VDP, but it can be valuable when the customer needs it. Hackrate is a CVE Numbering Authority. When a vulnerability is eligible, when a CVE record is useful, and when the customer requests and approves it, Hackrate can support CVE record creation and disclosure alignment.\"), mdx(\"h2\", {\n    \"id\": \"what-customers-gain-from-hackrate-managed-vdp\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-customers-gain-from-hackrate-managed-vdp\",\n    \"aria-label\": \"what customers gain from hackrate managed vdp permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What customers gain from Hackrate managed VDP\"), mdx(\"p\", null, \"The CRA makes vulnerability handling a product security and compliance requirement. Manufacturers need a reliable way to receive external vulnerability reports, validate them, assess their impact, support remediation, document the process, and escalate serious vulnerability reports on time.\"), mdx(\"p\", null, \"Hackrate managed VDP gives organizations a practical way to build that capability. It combines a structured reporting channel, expert triage, researcher communication, technical assessment, remediation-oriented input, traceable vulnerability report management, onboarding support, and optional CVE coordination when requested and approved by the customer.\"), mdx(\"p\", null, \"For companies preparing for CRA obligations, the value is straightforward: Hackrate helps turn vulnerability disclosure into a controlled, auditable, and expert-supported process.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP/","timeToRead":"7 min read","date":"May 15, 2026","dateString":"May 15, 2026","datePublishedSeoFormat":"2026-05-15","title":"CRA-ready vulnerability disclosure with Hackrate managed VDP","excerpt":"This article looks at how organizations can start preparing their vulnerability disclosure handling for the Cyber Resilience Act, and how Hackrate managed VDP can support that work. It may be useful for teams that want a clearer, more structured way to manage external vulnerability reports.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACw0lEQVQozzWSS2sbZxhG9UsCXYYUUkKySCktFLoolGQTCoViCm2jpHVdW9aMZkYeSSPbulkXj+RYsiP5mksJodsu4siyZY1GGo3k1CGUErLOIulfOHmlpIvDtzs83/s8geTsIZaQ+L1JYlaYE+YPSUZaWMYRidgx8WSbWOoEM9dhoegQtbsYd1z0mlDvoW33Ufc9lAcDAsuhFpXFLtu2z2bBY6ssb3FAUhGh/kFoHWMun7CQ7RAtdDBWHfQ1F63qErnroopQ2fMI3/cIJGcOWZprkVaOyOltMtoxGV0koUNMtcWC3iJqHmEkj9FTbYx8B10SahVBEmoNkW19EI4TJqebVKwu1VSPrMjKkrZkOeTiHeyVHqWCUPawaz7FDV8SOmglB6PWF2GfkHxduzdE2f9f+GuTzUyfRn7A3RWPnfKQRslnXb5fr47Yajxje/eMjZ1nNB4+J1310Msu04kmX35d4fJni3z78yPC+z7zE+EvTepZbyLdHL85j6pQrwzZqPisZF3stQEFwa6PSNcGhFe6XP08z4WrKpe+inHhosJU5C/Ux6dj4VPWEl02Un22CgN27SH2ojsRFjLSorRtmHI/q426dIKedwhJQZc+1bg2VWJq5g+ufKHwzQ97RP48I5AIykyCByRuPcWStJbcNC5FmZNSjoiZbcyENLwk7aY7aDlpuNznxncNPjp/m3Mf3+LiJ1F+yrQIPxqK8KYIbh4QDz4R6RNitw+ISmpDdqnLHiPStCp7VOLjlt8LtVWXcNHlxo+Puf79NsHllmxwyOy98Q2DLdb1f9g0X7Ku/cte5hVn/Tc8999O+Nt7w4vT/+g6rzFSDhERRopd1EpPRu2j745kMj6hHY+5+z4BSxJmph2yMy7p37rkwi7VrLScF0oj1mzhzimr6yM0Eao5kUk6xXaZl3GHaj1CdY/Q7kAS+rwDLHpiGc6456MAAAAASUVORK5CYII=","aspectRatio":1.7902097902097902,"src":"/static/e5459b99a1ca01c9ae56fae1edb98298/14ee0/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png","srcSet":"/static/e5459b99a1ca01c9ae56fae1edb98298/6ba37/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png 512w,\n/static/e5459b99a1ca01c9ae56fae1edb98298/4e530/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png 1024w,\n/static/e5459b99a1ca01c9ae56fae1edb98298/14ee0/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png 1542w","srcWebp":"/static/e5459b99a1ca01c9ae56fae1edb98298/fbb14/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.webp","srcSetWebp":"/static/e5459b99a1ca01c9ae56fae1edb98298/e4e36/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.webp 512w,\n/static/e5459b99a1ca01c9ae56fae1edb98298/e0f73/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.webp 1024w,\n/static/e5459b99a1ca01c9ae56fae1edb98298/fbb14/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.webp 1542w","sizes":"(max-width: 1542px) 100vw, 1542px"}},"commentId":"/blog/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP/","tableOfContents":{"items":[{"url":"#why-vulnerability-disclosure-matters-under-the-cra","title":"Why vulnerability disclosure matters under the CRA"},{"url":"#the-operational-problem-companies-need-to-solve","title":"The operational problem companies need to solve"},{"url":"#what-a-cra-ready-vulnerability-disclosure-process-should-do","title":"What a CRA-ready vulnerability disclosure process should do"},{"url":"#how-hackrate-managed-vdp-helps","title":"How Hackrate managed VDP helps"},{"url":"#where-cve-support-fits","title":"Where CVE support fits"},{"url":"#what-customers-gain-from-hackrate-managed-vdp","title":"What customers gain from Hackrate managed VDP"}]},"lastModifiedTime":"2026-05-15T09:00:00.000Z","lastModifiedTimeString":"May 15, 2026"},"authors":[{"bio":"CEO and Founder of HACKRATE Ltd.\n","id":"c43538d4-6e46-5c1f-9df1-28260fa2ff49","name":"Balazs Pozner","featured":true,"twitter":"@hackrate","slug":"bpozner","avatar":{"small":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAFwABAQEBAAAAAAAAAAAAAAAAAAMEBf/EABYBAQEBAAAAAAAAAAAAAAAAAAACAf/aAAwDAQACEAMQAAAB51o6CAqawNSE7//EAB4QAAEEAQUAAAAAAAAAAAAAAAABAgMRBBIhIjEz/9oACAEBAAEFAq3kYiFHbpuJZi+711OP/8QAFBEBAAAAAAAAAAAAAAAAAAAAIP/aAAgBAwEBPwEf/8QAFBEBAAAAAAAAAAAAAAAAAAAAIP/aAAgBAgEBPwEf/8QAGxABAAICAwAAAAAAAAAAAAAAAQAQAhEhIoH/2gAIAQEABj8CnXftAQF5rGK1/8QAHBABAAMAAgMAAAAAAAAAAAAAAQARMUFREGGx/9oACAEBAAE/IS5O2oqYc+AXQKVCuy2hxKdwDd7+RdMsdn//2gAMAwEAAgADAAAAELgPfP/EABgRAQADAQAAAAAAAAAAAAAAAAEAEBEh/9oACAEDAQE/EBMZ2//EABgRAQEAAwAAAAAAAAAAAAAAAAABESEx/9oACAECAQE/EMVpOK//xAAdEAEAAgICAwAAAAAAAAAAAAABABEhURBhMUGB/9oACAEBAAE/EDyGDDuNzXgNpX2SwlxTdy6KlVQXfbLArHuVqulHxRabcrxf/9k=","aspectRatio":1,"src":"/static/6d1344367554302c8917bd3aa652eae6/00991/balazs-pozner.jpg","srcSet":"/static/6d1344367554302c8917bd3aa652eae6/8696d/balazs-pozner.jpg 16w,\n/static/6d1344367554302c8917bd3aa652eae6/547ef/balazs-pozner.jpg 32w,\n/static/6d1344367554302c8917bd3aa652eae6/00991/balazs-pozner.jpg 64w,\n/static/6d1344367554302c8917bd3aa652eae6/0b461/balazs-pozner.jpg 96w,\n/static/6d1344367554302c8917bd3aa652eae6/7d668/balazs-pozner.jpg 128w,\n/static/6d1344367554302c8917bd3aa652eae6/25252/balazs-pozner.jpg 400w","srcWebp":"/static/6d1344367554302c8917bd3aa652eae6/282c5/balazs-pozner.webp","srcSetWebp":"/static/6d1344367554302c8917bd3aa652eae6/302d4/balazs-pozner.webp 16w,\n/static/6d1344367554302c8917bd3aa652eae6/97620/balazs-pozner.webp 32w,\n/static/6d1344367554302c8917bd3aa652eae6/282c5/balazs-pozner.webp 64w,\n/static/6d1344367554302c8917bd3aa652eae6/5a4e0/balazs-pozner.webp 96w,\n/static/6d1344367554302c8917bd3aa652eae6/e28f0/balazs-pozner.webp 128w,\n/static/6d1344367554302c8917bd3aa652eae6/fc32b/balazs-pozner.webp 400w","sizes":"(max-width: 64px) 100vw, 64px"},"medium":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAFwABAQEBAAAAAAAAAAAAAAAAAAMEBf/EABYBAQEBAAAAAAAAAAAAAAAAAAACAf/aAAwDAQACEAMQAAAB51o6CAqawNSE7//EAB4QAAEEAQUAAAAAAAAAAAAAAAABAgMRBBIhIjEz/9oACAEBAAEFAq3kYiFHbpuJZi+711OP/8QAFBEBAAAAAAAAAAAAAAAAAAAAIP/aAAgBAwEBPwEf/8QAFBEBAAAAAAAAAAAAAAAAAAAAIP/aAAgBAgEBPwEf/8QAGxABAAICAwAAAAAAAAAAAAAAAQAQAhEhIoH/2gAIAQEABj8CnXftAQF5rGK1/8QAHBABAAMAAgMAAAAAAAAAAAAAAQARMUFREGGx/9oACAEBAAE/IS5O2oqYc+AXQKVCuy2hxKdwDd7+RdMsdn//2gAMAwEAAgADAAAAELgPfP/EABgRAQADAQAAAAAAAAAAAAAAAAEAEBEh/9oACAEDAQE/EBMZ2//EABgRAQEAAwAAAAAAAAAAAAAAAAABESEx/9oACAECAQE/EMVpOK//xAAdEAEAAgICAwAAAAAAAAAAAAABABEhURBhMUGB/9oACAEBAAE/EDyGDDuNzXgNpX2SwlxTdy6KlVQXfbLArHuVqulHxRabcrxf/9k=","aspectRatio":1,"src":"/static/6d1344367554302c8917bd3aa652eae6/7d668/balazs-pozner.jpg","srcSet":"/static/6d1344367554302c8917bd3aa652eae6/547ef/balazs-pozner.jpg 32w,\n/static/6d1344367554302c8917bd3aa652eae6/00991/balazs-pozner.jpg 64w,\n/static/6d1344367554302c8917bd3aa652eae6/7d668/balazs-pozner.jpg 128w,\n/static/6d1344367554302c8917bd3aa652eae6/3e5eb/balazs-pozner.jpg 192w,\n/static/6d1344367554302c8917bd3aa652eae6/d64b1/balazs-pozner.jpg 256w,\n/static/6d1344367554302c8917bd3aa652eae6/25252/balazs-pozner.jpg 400w","srcWebp":"/static/6d1344367554302c8917bd3aa652eae6/e28f0/balazs-pozner.webp","srcSetWebp":"/static/6d1344367554302c8917bd3aa652eae6/97620/balazs-pozner.webp 32w,\n/static/6d1344367554302c8917bd3aa652eae6/282c5/balazs-pozner.webp 64w,\n/static/6d1344367554302c8917bd3aa652eae6/e28f0/balazs-pozner.webp 128w,\n/static/6d1344367554302c8917bd3aa652eae6/a278a/balazs-pozner.webp 192w,\n/static/6d1344367554302c8917bd3aa652eae6/b42dd/balazs-pozner.webp 256w,\n/static/6d1344367554302c8917bd3aa652eae6/fc32b/balazs-pozner.webp 400w","sizes":"(max-width: 128px) 100vw, 128px"},"large":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAFwABAQEBAAAAAAAAAAAAAAAAAAMEBf/EABYBAQEBAAAAAAAAAAAAAAAAAAACAf/aAAwDAQACEAMQAAAB51o6CAqawNSE7//EAB4QAAEEAQUAAAAAAAAAAAAAAAABAgMRBBIhIjEz/9oACAEBAAEFAq3kYiFHbpuJZi+711OP/8QAFBEBAAAAAAAAAAAAAAAAAAAAIP/aAAgBAwEBPwEf/8QAFBEBAAAAAAAAAAAAAAAAAAAAIP/aAAgBAgEBPwEf/8QAGxABAAICAwAAAAAAAAAAAAAAAQAQAhEhIoH/2gAIAQEABj8CnXftAQF5rGK1/8QAHBABAAMAAgMAAAAAAAAAAAAAAQARMUFREGGx/9oACAEBAAE/IS5O2oqYc+AXQKVCuy2hxKdwDd7+RdMsdn//2gAMAwEAAgADAAAAELgPfP/EABgRAQADAQAAAAAAAAAAAAAAAAEAEBEh/9oACAEDAQE/EBMZ2//EABgRAQEAAwAAAAAAAAAAAAAAAAABESEx/9oACAECAQE/EMVpOK//xAAdEAEAAgICAwAAAAAAAAAAAAABABEhURBhMUGB/9oACAEBAAE/EDyGDDuNzXgNpX2SwlxTdy6KlVQXfbLArHuVqulHxRabcrxf/9k=","aspectRatio":1,"src":"/static/6d1344367554302c8917bd3aa652eae6/ec46e/balazs-pozner.jpg","srcSet":"/static/6d1344367554302c8917bd3aa652eae6/a2637/balazs-pozner.jpg 82w,\n/static/6d1344367554302c8917bd3aa652eae6/15203/balazs-pozner.jpg 164w,\n/static/6d1344367554302c8917bd3aa652eae6/ec46e/balazs-pozner.jpg 328w,\n/static/6d1344367554302c8917bd3aa652eae6/25252/balazs-pozner.jpg 400w","srcWebp":"/static/6d1344367554302c8917bd3aa652eae6/5a48e/balazs-pozner.webp","srcSetWebp":"/static/6d1344367554302c8917bd3aa652eae6/2d087/balazs-pozner.webp 82w,\n/static/6d1344367554302c8917bd3aa652eae6/29d87/balazs-pozner.webp 164w,\n/static/6d1344367554302c8917bd3aa652eae6/5a48e/balazs-pozner.webp 328w,\n/static/6d1344367554302c8917bd3aa652eae6/fc32b/balazs-pozner.webp 400w","sizes":"(max-width: 328px) 100vw, 328px"}}}],"relatedArticles":[{"id":"dcbfe952-f30c-57b1-80b8-337571d2160d","author":"Samuele Gugliotta","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"thisclosed_#3\",\n  \"description\": \"Arbitrary File Upload via External Files Feature Allows Client-Side Remote Code Execution\",\n  \"author\": \"Samuele Gugliotta\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-04-14T16:00:00.000Z\",\n  \"image\": \"/img/blog/thisclosed-3-cover.png\",\n  \"draft\": false,\n  \"tags\": [\"bug-bounty\", \"security-testing\", \"ethical-hacking\", \"writeup\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"h2\", {\n    \"id\": \"summary\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#summary\",\n    \"aria-label\": \"summary permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Summary\"), mdx(\"p\", null, \"During an assessment of a web-based platform (hereinafter referred to as \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"[REDACTED]\"), \"), I identified a critical vulnerability in the file upload mechanism exposed through the \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"External Files\"), \" feature within the project dashboard. This feature is designed to allow authenticated users to import supplementary documentation, such as \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".txt\"), \" and \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".md\"), \" files, to enrich project requirements.\"), mdx(\"p\", null, \"The user interface explicitly enforces the following constraints:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"Allowed: .txt, .md files only \\xB7 Max 5 files \\xB7 Max 10KB per file\")), mdx(\"p\", null, \"However, these restrictions exist solely on the client side. The backend performs no validation whatsoever on the file extension, MIME type, or content body. By intercepting the upload request and manipulating the relevant fields, an attacker can submit arbitrary file types, including formats capable of executing code on the client\\u2019s machine upon download and execution. This class of vulnerability is formally catalogued as \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://cwe.mitre.org/data/definitions/434.html\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"CWE-434: Unrestricted Upload of File with Dangerous Type\"), \".\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://cwe.mitre.org/data/images/CWE-434-Diagram.png\",\n    \"alt\": \"CWE-434 Diagram\"\n  })), mdx(\"p\", null, \"To demonstrate the severity of this flaw, I crafted and uploaded a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" file containing an ActiveX-based payload. When downloaded and opened on a Windows system, the file was processed by \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \", launching \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"calc.exe\"), \" as a benign proof of execution. Additional executable formats, including \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".html\"), \" and \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".exe\"), \", were also tested and accepted without restriction.\"), mdx(\"h2\", {\n    \"id\": \"technical-analysis\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#technical-analysis\",\n    \"aria-label\": \"technical analysis permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Technical Analysis\"), mdx(\"h3\", {\n    \"id\": \"upload-mechanism-and-client-side-only-validation-gap\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#upload-mechanism-and-client-side-only-validation-gap\",\n    \"aria-label\": \"upload mechanism and client side only validation gap permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Upload mechanism and client-side-only validation gap\"), mdx(\"p\", null, \"The \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"External Files\"), \" section resides within the project dashboard and serves as a repository for supplementary project documentation. File uploads are dispatched via a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"POST\"), \" request to the following endpoint:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\"\n  }, \"/api/app/uiengine/odata/[REDACTED]/modules/projectDashboard/pages/components/InputsTab/ExternalTools/$batch\\n\")), mdx(\"p\", null, \"The request body is a JSON structure containing file metadata and content:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-json\"\n  }, \"{\\n  \\\"requests\\\": [\\n    {\\n      \\\"method\\\": \\\"POST\\\",\\n      \\\"body\\\": {\\n        \\\"projectId\\\": [REDACTED],\\n        \\\"fileName\\\": \\\"sample.txt\\\",\\n        \\\"fileType\\\": \\\"text/plain\\\",\\n        \\\"uploadData\\\": {\\n          \\\"content\\\": \\\"Lorem Ipsum.\\\",\\n          \\\"uploadDate\\\": \\\"2025-07-15T22:58:51.555Z\\\"\\n        }\\n      },\\n      \\\"id\\\": \\\"86\\\",\\n      \\\"atomicityGroup\\\": \\\"86\\\",\\n      \\\"url\\\": \\\"[REDACTED]\\\"\\n    }\\n  ]\\n}\\n\")), mdx(\"p\", null, \"Three fields govern the upload behavior:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"strong\"\n  }, \"fileName\")), \": determines the displayed name and file extension.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"strong\"\n  }, \"fileType\")), \": declares the MIME type.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"strong\"\n  }, \"uploadData.content\")), \": carries the full file content as a string.\")), mdx(\"p\", null, \"None of these fields undergo server-side sanitization or validation. The backend accepts whatever the client provides, persists the file, and surfaces it in the UI as a downloadable asset. No questions asked.\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://media0.giphy.com/media/v1.Y2lkPTc5MGI3NjExM2Z4eThsNWZ0bHgwcWp0Y2ZmNTUxY3I3NWoybnAxeWQ2aGwzZXhkcyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/CiZ9e5IUPqeVFzc8Mp/giphy.gif\",\n    \"alt\": null\n  })), mdx(\"p\", null, \"This is a textbook instance of misplaced trust in client-side controls. The restrictions visible in the UI (file type allowlist, size cap, file count limit) are enforced entirely within the browser\\u2019s JavaScript context. Any user with a web proxy, or even the browser\\u2019s built-in developer tools, can bypass these constraints trivially. Client-side validation serves a legitimate purpose as a usability layer: it provides immediate feedback and prevents accidental misuse. But it must never be the sole enforcement mechanism for security-relevant constraints. Without a corresponding server-side allowlist that independently verifies the file extension, inspects the MIME type, and ideally validates the content\\u2019s magic bytes against expected signatures, the upload endpoint is functionally unrestricted.\"), mdx(\"h3\", {\n    \"id\": \"exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload\",\n    \"aria-label\": \"exploiting the lack of server side validation to weaponize a hta payload permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Exploiting the lack of server-side validation to weaponize a \", mdx(\"inlineCode\", {\n    parentName: \"h3\"\n  }, \".hta\"), \" payload\"), mdx(\"p\", null, \"The exploitation is, frankly, trivial. By intercepting a legitimate \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".txt\"), \" upload with a web proxy, the attacker gains full control over the JSON payload before it reaches the server. Replacing \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"fileName\"), \" with \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"payload.hta\"), \", \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"fileType\"), \" with \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"application/hta\"), \", and injecting executable HTA markup into \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"uploadData.content\"), \" is all it takes:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-json\"\n  }, \"{\\n  \\\"requests\\\": [\\n    {\\n      \\\"method\\\": \\\"POST\\\",\\n      \\\"body\\\": {\\n        \\\"projectId\\\": [REDACTED],\\n        \\\"fileName\\\": \\\"payload.hta\\\",\\n        \\\"fileType\\\": \\\"application/hta\\\",\\n        \\\"uploadData\\\": {\\n          \\\"content\\\": \\\"<html><head><script>var shell = new ActiveXObject(\\\\\\\"WScript.Shell\\\\\\\");shell.Run(\\\\\\\"calc.exe\\\\\\\");</script></head><body></body></html>\\\",\\n          \\\"uploadDate\\\": \\\"2025-07-15T22:58:51.555Z\\\"\\n        }\\n      },\\n      \\\"id\\\": \\\"86\\\",\\n      \\\"atomicityGroup\\\": \\\"86\\\",\\n      \\\"url\\\": \\\"[REDACTED]\\\"\\n    }\\n  ]\\n}\\n\")), mdx(\"p\", null, \"The upload succeeds. The weaponized \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" file appears in the UI alongside legitimate documents, available for download, waiting for a user to open it.\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://media0.giphy.com/media/v1.Y2lkPTc5MGI3NjExZHI5Z3IxZTVrdTRic2NnbjRuNTczaHVrdzBjdm8weTVyOWRxbXR4ZyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/KF1qNYHUi8wwTNIUUm/giphy.gif\",\n    \"alt\": null\n  })), mdx(\"h3\", {\n    \"id\": \"why-did-i-choose-hta-for-the-poc-here-is-the-rationale\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#why-did-i-choose-hta-for-the-poc-here-is-the-rationale\",\n    \"aria-label\": \"why did i choose hta for the poc here is the rationale permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why did I choose \", mdx(\"inlineCode\", {\n    parentName: \"h3\"\n  }, \".hta\"), \" for the PoC? Here is the rationale\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://imgur.com/SobZxvf.jpeg\",\n    \"alt\": null\n  })), mdx(\"p\", null, \"I chose the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" (HTML Application) format deliberately because of its unique execution model on Windows systems. An HTA file is structurally identical to an HTML document, but it operates under an entirely different trust model. When a user opens an \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" file, Windows delegates execution to \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \" (Microsoft HTML Application Host), a signed, native binary located at \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"C:\\\\Windows\\\\System32\\\\mshta.exe\"), \". Unlike a standard \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".html\"), \" file rendered within a browser\\u2019s sandboxed environment, an HTA executes as a standalone application outside the browser\\u2019s security context. This means it is not subject to Internet Explorer zone restrictions, Protected Mode limitations, or any of the sandboxing controls that browsers impose on web-delivered scripts.\"), mdx(\"p\", null, \"Consequently, scripts embedded in an HTA file run with the full privileges of the current user. They can instantiate COM/ActiveX objects, interact with the Windows Script Host, read and write to the file system, modify the registry, and spawn arbitrary processes. In my proof of concept, the payload leveraged this capability to instantiate a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"WScript.Shell\"), \" ActiveX object and invoke \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"calc.exe\"), \", a standard and benign demonstration of arbitrary command execution.\"), mdx(\"p\", null, \"From an offensive security perspective, \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \" is classified as a \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://lolbas-project.github.io/lolbas/Binaries/Mshta/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"Living off the Land Binary (LOLBin)\"), \", a category of legitimate, vendor-signed system utilities that attackers routinely co-opt to proxy the execution of malicious code. Because \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \" is a trusted Microsoft binary that ships with every Windows installation, its execution blends seamlessly into normal system activity and is far less likely to trigger behavioral heuristics in endpoint detection products. It has its own dedicated entry in the MITRE ATT&CK framework under technique \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://attack.mitre.org/techniques/T1218/005/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"T1218.005 (System Binary Proxy Execution: Mshta)\"), \", and it is actively leveraged by numerous threat actors and malware families in real-world campaigns.\"), mdx(\"p\", null, \"Simple as that.\"), mdx(\"h2\", {\n    \"id\": \"impact\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#impact\",\n    \"aria-label\": \"impact permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Impact\"), mdx(\"p\", null, \"While client-side RCE via \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" serves as the most tangible demonstration of this vulnerability, the underlying risk is systemic. The upload mechanism imposes no server-side restrictions on what enters the platform, which means the \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"External Files\"), \" feature is, in practice, an unrestricted file distribution channel embedded within a trusted interface.\"), mdx(\"p\", null, \"This has two immediate consequences. First, any authenticated user can leverage the feature to deliver executable or otherwise harmful content to anyone who downloads from the same project. Second, in collaborative or multi-user environments, an attacker does not need to phish, redirect, or socially engineer a target through external channels. The payload is already inside the platform, sitting in a shared workspace, served by the application itself.\"), mdx(\"hr\", null), mdx(\"h2\", {\n    \"id\": \"acknowledgements\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#acknowledgements\",\n    \"aria-label\": \"acknowledgements permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Acknowledgements\"), mdx(\"p\", null, \"I would like to thank the Hackrate team for their consistently swift and efficient triage throughout this engagement, and the client\\u2019s security team for their responsiveness in addressing the reported issue. This finding was part of a private bug bounty program on Hackrate that overall resulted in a \\u20AC\\u20AC\\u20AC\\u20AC bounty payout.\"), mdx(\"p\", null, mdx(\"em\", {\n    parentName: \"p\"\n  }, \"venomnis\")));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/thisclosed_3/","timeToRead":"6 min read","date":"April 14, 2026","dateString":"April 14, 2026","datePublishedSeoFormat":"2026-04-14","title":"thisclosed_#3","excerpt":"Arbitrary File Upload via External Files Feature Allows Client-Side Remote Code Execution","tags":["bug-bounty","security-testing","ethical-hacking","writeup"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAIAAADwazoUAAAACXBIWXMAABYlAAAWJQFJUiTwAAACDUlEQVQoz12P3W/SUBjGz7/lhRoo6kTHVzvKMC5sINsoFJhLdJSPReMuR3bjzZgxRt12o4mYGC/GWGCTfXhjQkICYS1N5wAbSrdlCwPqa6vJsHnynF/PeZ/3nBfdIcMGIogR9K2RoIGgVf39xXAaTv8T7OttlMbotj1EPoo9pJ7hbsYxGSe98RFP1DmVINzMeHDB6JyFgivhGeiut/k1RtDJHVoIRZcCkWRgbpFmkk+evwR30S/C8aW7zseD4bDOSkEeAMMDCBaraw5uAwHYvTG40zYewSci4MQEMzT4bAz3Q0wdlkbQ2+J6SsKDJxOEJzo6nXBMJezweG8MAGYZGp2BGqOmB7Pq2DSMA0I6C4VZ/DqTT2+iMDMFoLJPb6ZU9xmsgZtm6obZp+m6afqa0QMOjJJvPjKptVhqLbK8Ch5VGTyRWo+n1udX/mj5ffr16udX/5R6+2nlXRoAbf46JvZzjoM8uZ8DjX3fcRzkhgtZ2LTubd0rZIG3xIaiKL1+Xxn8UPb4yJjbGM5nLNsZUz5zP7+B72x+4NmvAv9FqKV5Nn3E/5AlNaxcjfd6PVSX29uH1d0a+63G7fFcocbucuypLMOxVnnSbv/keY7jBEEol8uVSqVUKhWLxWaziToXF6et1pnUPpdPzmUZdCZJLUnqXF52ut1uv98UxUOWhWS9Xm80GgDVahVaiKL4G1vOd16sYEdlAAAAAElFTkSuQmCC","aspectRatio":1.7777777777777777,"src":"/static/c788c5bd9803c97cfd624ec66ee322f6/0e6e2/thisclosed-3-cover.png","srcSet":"/static/c788c5bd9803c97cfd624ec66ee322f6/6ba37/thisclosed-3-cover.png 512w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/4e530/thisclosed-3-cover.png 1024w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/0e6e2/thisclosed-3-cover.png 1920w","srcWebp":"/static/c788c5bd9803c97cfd624ec66ee322f6/30cf3/thisclosed-3-cover.webp","srcSetWebp":"/static/c788c5bd9803c97cfd624ec66ee322f6/e4e36/thisclosed-3-cover.webp 512w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/e0f73/thisclosed-3-cover.webp 1024w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/30cf3/thisclosed-3-cover.webp 1920w","sizes":"(max-width: 1920px) 100vw, 1920px"}},"commentId":"/blog/thisclosed_3/","tableOfContents":{"items":[{"url":"#summary","title":"Summary"},{"url":"#technical-analysis","title":"Technical Analysis","items":[{"url":"#upload-mechanism-and-client-side-only-validation-gap","title":"Upload mechanism and client-side-only validation gap"},{"url":"#exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload","title":"Exploiting the lack of server-side validation to weaponize a .hta payload"},{"url":"#why-did-i-choose-hta-for-the-poc-here-is-the-rationale","title":"Why did I choose .hta for the PoC? Here is the rationale"}]},{"url":"#impact","title":"Impact"},{"url":"#acknowledgements","title":"Acknowledgements"}]},"lastModifiedTime":"2026-04-14T16:00:00.000Z","lastModifiedTimeString":"April 14, 2026"},{"id":"af9be85a-bfb6-57fa-957c-10d3c131ae59","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement\",\n  \"description\": \"ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-01-26T09:00:00.000Z\",\n  \"image\": \"/img/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png\",\n  \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"ENISA\\u2019s NIS2 technical implementation guidance treats vulnerability handling and disclosure as a distinct control area (6.10), separate from security testing (6.5) and security patch management (6.6). The practical implication is that organizations should be able to evidence an end to end vulnerability handling process that includes external intake, internal triage, remediation linkage, and disclosure handling aligned to applicable national coordinated vulnerability disclosure policy.\"), mdx(\"p\", null, \"A vulnerability disclosure policy (VDP) is not sufficient on its own. What matters is a VDP backed by an operating workflow with records that demonstrate 6.10 is implemented.\"), mdx(\"h2\", {\n    \"id\": \"what-enisa-separates-in-practice\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-enisa-separates-in-practice\",\n    \"aria-label\": \"what enisa separates in practice permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What ENISA separates in practice\"), mdx(\"p\", null, \"For implementation purposes, three activities that are often blended in day to day security operations should be evidenced distinctly:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Security testing (6.5):\"), \" planned assessments with defined scope, methodology and reporting.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Security patch management (6.6):\"), \" remediation planning, patch deployment and operational confirmation of fixes.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Vulnerability handling and disclosure (6.10):\"), \" obtaining vulnerability information, assessing exposure, addressing critical vulnerabilities without undue delay, integrating handling with other management processes and maintaining a disclosure procedure aligned to coordinated vulnerability disclosure policy.\")), mdx(\"p\", null, \"The key point is not organizational structure. It is evidence. Assessors will look for control specific artefacts and records that demonstrate 6.10 is implemented, repeatable and used.\"), mdx(\"h2\", {\n    \"id\": \"minimum-viable-vdp-that-can-be-evidenced\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#minimum-viable-vdp-that-can-be-evidenced\",\n    \"aria-label\": \"minimum viable vdp that can be evidenced permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Minimum viable VDP that can be evidenced\"), mdx(\"p\", null, \"A VDP that stands up to scrutiny is a policy plus a workflow plus records. At minimum, the policy should define reporting channels, scope and safe harbor, triage targets, severity assessment, remediation and disclosure handling.\"), mdx(\"h3\", {\n    \"id\": \"public-reporting-channels\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#public-reporting-channels\",\n    \"aria-label\": \"public reporting channels permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Public reporting channels\"), mdx(\"p\", null, \"Provide a dedicated security contact and a stable reporting mechanism that remains valid over time. Make the reporting channel discoverable from the organization\\u2019s domain, commonly via \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"/.well-known/security.txt\"), \", and offer an option for encrypted communication, such as a published PGP key.\"), mdx(\"h3\", {\n    \"id\": \"scope-and-safe-harbor\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#scope-and-safe-harbor\",\n    \"aria-label\": \"scope and safe harbor permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Scope and safe harbor\"), mdx(\"p\", null, \"Define which systems are in scope, which are excluded, and what testing behavior is allowed. State prohibited activities explicitly, including denial of service, social engineering, and physical intrusion. Include a good faith safe harbor statement.\"), mdx(\"h3\", {\n    \"id\": \"triage-and-response-targets\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#triage-and-response-targets\",\n    \"aria-label\": \"triage and response targets permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Triage and response targets\"), mdx(\"p\", null, \"Define measurable targets that you can meet and audit. For example, acknowledge receipt within 2 business days, provide an initial triage outcome within 7 business days, and define remediation targets by severity.\"), mdx(\"h3\", {\n    \"id\": \"severity-and-prioritization-method\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#severity-and-prioritization-method\",\n    \"aria-label\": \"severity and prioritization method permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Severity and prioritization method\"), mdx(\"p\", null, \"Use a consistent scoring approach (such as CVSS v3.1 or v4.0), and document what inputs drive the score in your environment.\"), mdx(\"h3\", {\n    \"id\": \"remediation-linkage-and-verification\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#remediation-linkage-and-verification\",\n    \"aria-label\": \"remediation linkage and verification permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Remediation linkage and verification\"), mdx(\"p\", null, \"Every accepted report should map to an internal tracking ticket with an accountable owner, fix target and status. Closure should require verification evidence, such as retest notes, fixed version identifiers, and deployment confirmation, not only a developer comment stating \\u201Cresolved.\\u201D If a report is closed as \\u201Cwon\\u2019t fix,\\u201D require a recorded rationale and approval.\"), mdx(\"h2\", {\n    \"id\": \"workflow-design-that-prevents-predictable-failure-modes\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#workflow-design-that-prevents-predictable-failure-modes\",\n    \"aria-label\": \"workflow design that prevents predictable failure modes permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Workflow design that prevents predictable failure modes\"), mdx(\"p\", null, \"A disclosure workflow fails in repeatable ways. A workable design reduces noise, enforces reproducibility, assigns accountable ownership, and produces evidence that can survive assessment.\"), mdx(\"p\", null, \"Filtering should remove reports that cannot be actioned. Define reject criteria for out of scope targets, missing reproduction steps, unclear impact, and non actionable scanner output. Deduplication should be based on root cause and exploit path, not URL variations, and should preserve credit attribution when multiple reporters converge on the same issue.\"), mdx(\"p\", null, \"Route every accepted report through a tracked system, not email forwarding. Require structured fields that allow audits and reporting, including asset and environment, severity and rationale, accountable owner, due date, fix version, deployment evidence, and a disclosure status log. Avoid \\u201Cshared inbox only\\u201D ownership models, because they produce gaps when staffing changes and make SLAs non verifiable.\"), mdx(\"h2\", {\n    \"id\": \"self-managed-vdp-risks-and-controls\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#self-managed-vdp-risks-and-controls\",\n    \"aria-label\": \"self managed vdp risks and controls permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Self managed VDP risks and controls\"), mdx(\"p\", null, \"A self managed VDP can work, but only if it is resourced, measurable and enforced. Common failure modes and controls include:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"High noise volume:\"), \" enforce submission requirements, reject non reproducible reports, and implement deduplication based on root cause.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Inconsistent triage decisions:\"), \" publish acceptance criteria and apply a standard reproduction and severity checklist.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Misrouting and delays:\"), \" require a single owned intake channel, tracked case management, and named owners.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Communication gaps:\"), \" use templated acknowledgements, scheduled status updates and defined escalation triggers.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Evidence gaps:\"), \" retain timestamps, decisions, remediation linkage, and verification artefacts so cases can be reconstructed during assessment.\")), mdx(\"h2\", {\n    \"id\": \"when-hackrate-managed-vdp-is-justified\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#when-hackrate-managed-vdp-is-justified\",\n    \"aria-label\": \"when hackrate managed vdp is justified permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"When Hackrate managed VDP is justified\"), mdx(\"p\", null, \"For many organizations, the hardest part of 6.10 is not writing a policy. It is operating the intake and triage loop reliably at volume with complete records.\"), mdx(\"p\", null, \"Hackrate provides the Hackrate Ethical Hacking platform to manage vulnerability submissions through a structured intake channel with case tracking and an auditable record of actions and communications. We help validate reported issues, including reproduction and impact clarification, so your internal teams receive actionable findings rather than unfiltered inbox traffic. We also handle communication with ethical hackers, including acknowledgements, clarification requests, and status updates, so timelines remain predictable and interactions remain consistent.\"), mdx(\"p\", null, \"Hackrate also provides the legal and operational documents required to run a VDP, so teams do not need to draft them from scratch. This includes VDP policy language, scope and safe harbor terms, disclosure rules, and program terms that can be adapted to your environment.\"), mdx(\"p\", null, \"In this model, your organization retains decision rights for risk acceptance, remediation prioritization, and deployment approval. Hackrate focuses on managed intake, validation support, and communications, plus a complete evidence trail that connects submissions to triage outcomes and remediation status.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement/","timeToRead":"5 min read","date":"January 26, 2026","dateString":"January 26, 2026","datePublishedSeoFormat":"2026-01-26","title":"ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement","excerpt":"ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAACxklEQVQoz0WSS28bVRiG8wv4AWwRICSQumSBQIIdYtMlVGxQBSi0ufg+9ow9nrh2HN9iO77Vdu4lagLqAiQuIp44cTye8Yzjhl4oO1T4HQ9fHAkWj863OHr0nfO+cynfCSvLJsnlHkmf4Jc5YJJS+qTUUwz9jGRqgJ4ZkMidkygNiVdHaPUR6n2bWNchujNG2XeJHHjMGYsmRe2cZtahvmpTE5r5MSuhE/SIoPVJ6KdoqTPU1QGx/DnR9SFK1SLSGBFu24Q2HYIiDTwYi3DBJO3vk48NWNeH1xhDdJ+JFjRRlRPUeJ+ocYqSPiOcHRAunqNsWITqFsGWhb8zIrgrwm9d5vRvepQTFlXDYj0xpKANKMtcWrEopkcU8zb5os1a2WG16pBve2S7HkrNQtuckNx/ivHwCcE9F//Vhsn5HvWUzVZpwmbRo1Nw2atPaZVcWhWPna1LNoX2ziXl9oTu4RNqB5dEKmNufvED793c4NPwEeruhMDVH+pfH1OVDdtrLt2CN6Mj4kbepVpwaLcuuN+ZzoTN3Usq21OMpsNixuGNd+a58XGYNz+8w+3Uj0S++12EXx1TN2za2THNtENLzrpcrmRsGmWXRm1CQ6StrcdUu1PUgoQhSS+tOrz21mfc+OAWr797i8/VR/8Lq3GL7eKETtalk7vesF320JVT4uoZmj5AlepE0xJG7koogVQc3v9kl1devc3bH2VY2LDxzZ785THG/DHppR73FnukBO1Oj+jdHiGZg9LLgNTHF+sTuSfCtaGkbBGWLoYbFyzlplKdxwT2PJali3NJEZb8F9Qiz6gEn1JTnvHbo7/o//SSk59fYv4i/Po3pvkP8eyIUPZaGCqPCNSkLh0bv/TQt+2K0LsWZu+OyC14rC245H0eD7vP+X7/D44evODoQDj8k4PDF8Qy1kwYkn8MzoQik4B8nfF/wn8BilxpnoBigEQAAAAASUVORK5CYII=","aspectRatio":1.78397212543554,"src":"/static/0412079155af02d8915db4717f60957e/43a2d/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png","srcSet":"/static/0412079155af02d8915db4717f60957e/6ba37/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 512w,\n/static/0412079155af02d8915db4717f60957e/4e530/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 1024w,\n/static/0412079155af02d8915db4717f60957e/43a2d/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 2048w,\n/static/0412079155af02d8915db4717f60957e/0b1d6/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 2768w","srcWebp":"/static/0412079155af02d8915db4717f60957e/ceab5/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp","srcSetWebp":"/static/0412079155af02d8915db4717f60957e/e4e36/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 512w,\n/static/0412079155af02d8915db4717f60957e/e0f73/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 1024w,\n/static/0412079155af02d8915db4717f60957e/ceab5/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 2048w,\n/static/0412079155af02d8915db4717f60957e/ab56b/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 2768w","sizes":"(max-width: 2048px) 100vw, 2048px"}},"commentId":"/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement/","tableOfContents":{"items":[{"url":"#what-enisa-separates-in-practice","title":"What ENISA separates in practice"},{"url":"#minimum-viable-vdp-that-can-be-evidenced","title":"Minimum viable VDP that can be evidenced","items":[{"url":"#public-reporting-channels","title":"Public reporting channels"},{"url":"#scope-and-safe-harbor","title":"Scope and safe harbor"},{"url":"#triage-and-response-targets","title":"Triage and response targets"},{"url":"#severity-and-prioritization-method","title":"Severity and prioritization method"},{"url":"#remediation-linkage-and-verification","title":"Remediation linkage and verification"}]},{"url":"#workflow-design-that-prevents-predictable-failure-modes","title":"Workflow design that prevents predictable failure modes"},{"url":"#self-managed-vdp-risks-and-controls","title":"Self managed VDP risks and controls"},{"url":"#when-hackrate-managed-vdp-is-justified","title":"When Hackrate managed VDP is justified"}]},"lastModifiedTime":"2026-01-26T09:00:00.000Z","lastModifiedTimeString":"January 26, 2026"},{"id":"242d44d2-8d0f-5cea-94ca-e337a6c87bf2","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"Press release: Hackrate becomes Hungary’s first CVE Numbering Authority\",\n  \"description\": \"This article explains Hackrate’s new status as Hungary’s first CVE Numbering Authority (CNA) and what that means in practice for coordinated vulnerability disclosure.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-01-13T09:00:00.000Z\",\n  \"image\": \"/img/blog/Press-release-Hackrate-becomes-Hungary-s-first-CVE-Numbering-Authority.png\",\n  \"tags\": [\"hackrate\", \"news\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, mdx(\"em\", {\n    parentName: \"p\"\n  }, \"Budapest, Hungary, January 13, 2026\")), mdx(\"p\", null, \"Hackrate has been authorized by the CVE Program as a CVE Numbering Authority (CNA). Hackrate will operate under the CISA ICS Root hierarchy. This makes Hackrate Hungary\\u2019s first organization with the authority to assign CVE IDs (Common Vulnerabilities and Exposures) for eligible vulnerabilities within its approved CNA scope.\"), mdx(\"p\", null, \"The mission of the Common Vulnerabilities and Exposures (CVE\\xAE) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CVE provides a shared reference so security teams, vendors, and tools can reliably talk about the same vulnerability using a consistent identifier and record.\"), mdx(\"p\", null, \"A CNA is not a badge, but an operational role in the global vulnerability identification process. As a CNA, Hackrate can reserve CVE IDs, assign them to validated issues, and publish CVE Records in accordance with CVE Program rules and coordination requirements. Hackrate will only assign a CVE ID and publish a CVE Record when it is appropriate and when the program owner explicitly approves creating a CVE as part of their disclosure plan.\"), mdx(\"p\", null, \"This capability is an opportunity for Hackrate customers and for the local security community. It does not change anything by default for every program on Hackrate and it does not mean CVEs will be created automatically.\"), mdx(\"h2\", {\n    \"id\": \"what-changes-with-cna-status\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-changes-with-cna-status\",\n    \"aria-label\": \"what changes with cna status permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What changes with CNA status\"), mdx(\"p\", null, \"In many disclosure workflows, the CVE step becomes a sequencing problem. An ethical hacker reports a bug, a vendor confirms and fixes it, and then the parties still need a separate path to obtain a CVE ID from an external CNA. That handoff can introduce delays, inconsistent records, and unnecessary back-and-forth over validation details.\"), mdx(\"p\", null, \"With CNA capability inside Hackrate, CVE assignment can be integrated into the same place where the report is already triaged and coordinated. This provides a simpler, approval-based path when a program owner decides a CVE is the right outcome for a given issue.\"), mdx(\"h2\", {\n    \"id\": \"how-the-workflow-changes-on-hackrate\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#how-the-workflow-changes-on-hackrate\",\n    \"aria-label\": \"how the workflow changes on hackrate permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"How the workflow changes on Hackrate\"), mdx(\"p\", null, \"Reporting, technical validation, coordinated disclosure, and CVE ID assignment can be handled within a single workflow. If a program owner wants to create a CVE for an eligible vulnerability and would like support with the process, Hackrate can assist through CVE ID assignment and CVE Record preparation.\"), mdx(\"p\", null, \"During triage, we can help structure the data needed for a high-quality CVE Record, including affected products and versions, vulnerability type (for example CWE mapping), and primary references such as vendor advisories or patch information. CVE Records are prepared for publication in alignment with coordinated disclosure and remediation timelines.\"), mdx(\"h2\", {\n    \"id\": \"what-this-means-for-companies\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-this-means-for-companies\",\n    \"aria-label\": \"what this means for companies permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What this means for companies\"), mdx(\"p\", null, \"If you run a VDP or bug bounty on Hackrate and you maintain software used by others, CVE identifiers are often part of how vulnerabilities are tracked and referenced across the industry. Hackrate can now support that process directly when a CVE is appropriate and when you approve it.\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Integrated CVE handling: If a report is validated and the issue is CVE-eligible, Hackrate can assign the CVE ID as part of the same triage and coordination track, without needing an additional external CNA step.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Optional by design: Not every vulnerability needs a CVE. Internal-only systems and private applications often do not benefit from a public identifier. For externally distributed products, open-source components, or on-prem software, CVEs are frequently the expected identifier.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Approval-based process: We will not create or publish CVE Records without explicit program owner approval. If you want to manage CVEs entirely on your side, you can continue to do so. If you want support, we can help.\")), mdx(\"h2\", {\n    \"id\": \"what-this-means-for-ethical-hackers\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-this-means-for-ethical-hackers\",\n    \"aria-label\": \"what this means for ethical hackers permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What this means for ethical hackers\"), mdx(\"p\", null, \"For researchers, the biggest practical gain is reduced administrative friction after the technical work is already done. When your report is CVE-eligible and the program owner approves creating a CVE, the validation and CVE assignment can happen with a CNA involved in the same workflow that already triages the report.\"), mdx(\"p\", null, \"Once remediation and disclosure timing are agreed with the vendor, and creating a CVE is approved by the program owner, the CVE ID can be assigned without an extra external queue.\"), mdx(\"h2\", {\n    \"id\": \"closing\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#closing\",\n    \"aria-label\": \"closing permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Closing\"), mdx(\"p\", null, \"Hackrate\\u2019s CNA status expands what we can deliver across the full vulnerability lifecycle: discovery through our VDP and bug bounty programs, technical validation through triage, coordinated disclosure with the vendor, and now official identification through CVE IDs and CVE Records, when program owners choose to use it.\"), mdx(\"p\", null, \"Maintaining a global vulnerability identifier system is a complex, industry-wide task involving coordination, deduplication, and record quality at scale. We are glad to contribute in a small but practical way by helping program owners and ethical hackers create timely, high-quality CVE Records when they are needed.\"), mdx(\"p\", null, \"If you are a program owner managing coordinated disclosure, Hackrate can now serve as a direct bridge into the CVE ecosystem under the CISA ICS Root structure.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Press-release-Hackrate-becomes-Hungary-s-first-CVE-Numbering-Authority/","timeToRead":"5 min read","date":"January 13, 2026","dateString":"January 13, 2026","datePublishedSeoFormat":"2026-01-13","title":"Press release: Hackrate becomes Hungary’s first CVE Numbering Authority","excerpt":"This article explains Hackrate’s new status as Hungary’s first CVE Numbering Authority (CNA) and what that means in practice for coordinated vulnerability disclosure.","tags":["hackrate","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAChklEQVQoz13SaU8acRDHcV9tTdp6wnKfi4CLIIiwHIIIKLYxTWNM08S2XMq1sN6VPq++jm8HbGrSB5PZ7INPZv6/WVBXWwSl/CtN/KtSa1LrLVRbm6CzTcB3iS90iTsyxB0b4t3u49kZ4M4OcRVGOEsjHAcG9voEW2PCQmilxbavRyFmoG+OyEnPxw3Czg6aOiDq+8phPEUlnuPTbggteYYjZeDKDHDkBdsbYa8YKLUx1iMB1eUWUWuHhKdHKtAnFeyTDPZQlTZhv3T3OXqgTGajSi5aIhA7x5YcYk/3selDlOIIZf8vOJtQfd8iZr8gYukQtrTnpTm7bLov2PDK/40BIc0ksGXKuleomTHBnIG/YOArjfFXTTx18xUMvWuRjxjU0tdUpUqJCUeFWxrleyrFG/TMhPqhfNfvqBzfU/74QPHkgfLplPzpI8UvU+KfH7AIaJlP+LZJLjRiTxtTz9ywnzTJRg0ymsGefkU6NUbPX7FXvUM/uCVdvSEnaFbQnZN7MoJaZeUX0GQhsPhjDtZS19R2ZMKtCaVtk6DSwStJe91dPL4ubknaFe3hig9wyhs6M0NsOUl5f4JSGc/B9RkYXGyypVyQdPbmPe64JOHtE/VcEpFQQhJQRJNzCffmoCPWx749wJYWUB9hldOx7AtWm7A2Sznwpkl4qcXmepuInFBUwlHX2vgl+YCE43F18ak9FG8XR6SH8x8o6QqoFI0XsDoDZxMKmLTckHVM2bU9orumtM5+c3H+RPfbE51ZfX+m03nGsymQ9jqhkp1NKGD5P1BbGrK1MiG2PCZuMWkUfvKh8sjxwSON2pRG4xfVo6ms/ALaEoLtDLEKaBFwfQYeCHho8gdHVXTPkjuXhgAAAABJRU5ErkJggg==","aspectRatio":1.78397212543554,"src":"/static/42c0fb84baadedd5ff7b521d858e8896/5d2c5/Press-release-Hackrate-becomes-Hungary-s-first-CVE-Numbering-Authority.png","srcSet":"/static/42c0fb84baadedd5ff7b521d858e8896/6ba37/Press-release-Hackrate-becomes-Hungary-s-first-CVE-Numbering-Authority.png 512w,\n/static/42c0fb84baadedd5ff7b521d858e8896/5d2c5/Press-release-Hackrate-becomes-Hungary-s-first-CVE-Numbering-Authority.png 1000w","srcWebp":"/static/42c0fb84baadedd5ff7b521d858e8896/36ebb/Press-release-Hackrate-becomes-Hungary-s-first-CVE-Numbering-Authority.webp","srcSetWebp":"/static/42c0fb84baadedd5ff7b521d858e8896/e4e36/Press-release-Hackrate-becomes-Hungary-s-first-CVE-Numbering-Authority.webp 512w,\n/static/42c0fb84baadedd5ff7b521d858e8896/36ebb/Press-release-Hackrate-becomes-Hungary-s-first-CVE-Numbering-Authority.webp 1000w","sizes":"(max-width: 1000px) 100vw, 1000px"}},"commentId":"/blog/Press-release-Hackrate-becomes-Hungary-s-first-CVE-Numbering-Authority/","tableOfContents":{"items":[{"url":"#what-changes-with-cna-status","title":"What changes with CNA status"},{"url":"#how-the-workflow-changes-on-hackrate","title":"How the workflow changes on Hackrate"},{"url":"#what-this-means-for-companies","title":"What this means for companies"},{"url":"#what-this-means-for-ethical-hackers","title":"What this means for ethical hackers"},{"url":"#closing","title":"Closing"}]},"lastModifiedTime":"2026-01-13T09:00:00.000Z","lastModifiedTimeString":"January 13, 2026"},{"id":"ec08dabc-c4c2-5667-a9ea-4ae6767e006d","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"Let 2026 be the year bug bounty becomes part of how you build and operate\",\n  \"description\": \"This article explains why 2026 is the right time to make bug bounty a practical, continuous security feedback loop and how Hackrate can help you launch it with confidence.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-01-05T09:00:00.000Z\",\n  \"image\": \"/img/blog/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png\",\n  \"tags\": [\"hackrate\", \"ethical-hacking\", \"security-testing\", \"news\", \"getting-started\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"Many organizations still treat offensive testing as a scheduled engagement, while their applications change monthly or even more frequently. Bug bounty is a practical way to keep security testing aligned with continuous change.\"), mdx(\"p\", null, \"A traditional \\u201Csecurity audit\\u201D model is still common: fixed scope, fixed timeline, and a report that starts aging as soon as the next release ships. That model can be useful, but it does not match how modern teams build and deploy.\"), mdx(\"p\", null, \"The problem is not that pentesting is bad. The problem is timing. If your development model is continuous, periodic testing quickly becomes a snapshot of a system that no longer exists.\"), mdx(\"p\", null, \"Bug bounty works well here because it is not a one-time assessment. It is continuous feedback from people who spend their time trying to break real systems as they change.\"), mdx(\"h2\", {\n    \"id\": \"why-periodic-pentests-often-miss-what-matters\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-periodic-pentests-often-miss-what-matters\",\n    \"aria-label\": \"why periodic pentests often miss what matters permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why periodic pentests often miss what matters\"), mdx(\"p\", null, \"Pentests are valuable for baseline coverage, assurance, and structured validation. But a time-boxed engagement has limits by design: constrained time, constrained scope, and a limited set of perspectives.\"), mdx(\"p\", null, \"Over multiple years, repeated testing against the same application can converge toward familiar paths and familiar findings. That is not a criticism of testers. It is what happens when the same constraints repeat.\"), mdx(\"p\", null, \"Meanwhile, the issues that hurt most in modern web applications are often not exotic. They are the messy ones: authorization mistakes, workflow abuse, subtle authentication edge cases, integration assumptions, and regressions introduced during refactors.\"), mdx(\"p\", null, \"Bug bounty adds something that is difficult to replicate in any other format: \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"diversity of thinking at scale\"), \". Different researchers approach the same target with different instincts, tooling, and threat models. That variety is where the surprising reports come from.\"), mdx(\"h2\", {\n    \"id\": \"continuous-development-needs-security-that-stays-on\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#continuous-development-needs-security-that-stays-on\",\n    \"aria-label\": \"continuous development needs security that stays on permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Continuous development needs security that stays on\"), mdx(\"p\", null, \"If you release weekly, a snapshot assessment from January is rarely a good description of what you are running by March.\"), mdx(\"p\", null, \"New endpoints appear. Permissions change. Features roll out behind flags. Even strong internal controls cannot prevent every regression. The goal is not perfection. The goal is fast discovery and fast learning.\"), mdx(\"p\", null, \"Bug bounty supports that goal because it runs continuously. It often becomes most active around major releases, when new features introduce new attack paths.\"), mdx(\"h2\", {\n    \"id\": \"starting-safely-without-creating-noise\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#starting-safely-without-creating-noise\",\n    \"aria-label\": \"starting safely without creating noise permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Starting safely without creating noise\"), mdx(\"p\", null, \"The common fear is operational: spam reports, duplicates, low-value submissions, and overwhelmed teams. That outcome is avoidable. A strong launch looks like this:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Start with a private program.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Keep scope tight and explicit.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Make triage and remediation ownership real, not theoretical.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Expand only when response times and report quality are stable.\")), mdx(\"p\", null, \"A bug bounty program is not hard because researchers are difficult. It is hard when scope is unclear, response is slow, and severity discussions turn into endless negotiation. \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"Those are program design problems and they are solvable.\")), mdx(\"h2\", {\n    \"id\": \"how-hackrate-can-help-you-get-started\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#how-hackrate-can-help-you-get-started\",\n    \"aria-label\": \"how hackrate can help you get started permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"How Hackrate can help you get started\"), mdx(\"p\", null, \"If your applications change continuously, your security testing should reflect that reality. Bug bounty is not a replacement for everything else, but it is one of the few models that keeps producing value while the system changes.\"), mdx(\"p\", null, \"Hackrate can help you turn that idea into a program you can run. We can help you plan a safe private launch, shape scope so researchers spend time where it matters, and set expectations that keep the signal high for your team. If you are considering a bug bounty program in 2026, we are happy to talk, share what works in practice, and plan the next steps with you.\"), mdx(\"p\", null, \"Reach out through \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://www.hckrt.com/Home/RequestADemo\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"Hackrate\"), \" and we will take it from there.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate/","timeToRead":"4 min read","date":"January 05, 2026","dateString":"January 05, 2026","datePublishedSeoFormat":"2026-01-05","title":"Let 2026 be the year bug bounty becomes part of how you build and operate","excerpt":"This article explains why 2026 is the right time to make bug bounty a practical, continuous security feedback loop and how Hackrate can help you launch it with confidence.","tags":["hackrate","ethical-hacking","security-testing","news","getting-started"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACiElEQVQozz2SW08TURSF+2d9Nmpi9IFEUej9Qumd0um002mhlykthdZyiYA0JmCCFzBgFOycc2awD8Q/sFwt6sPOefvOt9faHjMsMB0jbKMUs1FM2NDSfFclCkWJVUNhpaqQW5fINiXSbYVUVyGxpbA8UFjaUYjuKUTeKoQOFTzVkICVUdgq36JruOhUXWzUXQIFVjWBfEkiZypk1xTSDYmUJZHsENaTWOpLxIYSEQJDBAaPCDSDAvW4RCun0NIcNHUHjYoDLU9YQWClJJCrSGRqtGvQzlIzYKKnEO/TkMDoriRQIjAD+mxUAjbKXLkct6HPVhYzw0LxL9Dkums0q9OKhtGuRHibkDeE0C5wQDtO4EhOgQLtrMKGxrVrLnpct1WlaZ2mTQe1lkJzy4HO7DJc27R+oW1NYNUnMBsu6jTX128QHo7hf0fDyqINi8B2gVDDQYslbFrMss0suy7aPX5AYJbgVOwCu8+/4OzVNT7O/cDx/CVGL69xOneDlHEJ73uXQK+NTp6QsoNNmlmmA5PtGixD07k28ytUBYEuvIHPCD34hPlHZ/A+Psf8swu8XrhEIPId4bqNwMi5N6xGWUxGokFLM08AM8zydLJ5GxnNRlLnyyiC0a94+HSEJ7ErvIj/RCL0DSvLV1hMnyPIPP3TUoyFMUp+3iBvUYvRaJkwlpNJ2khlCCM0UbQR08dIsuV075Yn4yC+qRAbOAjsOwgeuvDxbHxs2mPQ0PQLVNh2mTM98pODO3w4vsPp6A4n/+bkN5I1gdga4S2BSEcg1LMR7Av4hwK+fRoS6ikTaBCkczT/GHrExmBjgkFvgv72BNt9znCCLmd5CmRW0f9AcQ/cIXCPQEL/AIaBteTXc6cxAAAAAElFTkSuQmCC","aspectRatio":1.78397212543554,"src":"/static/215707898c57c1c20ffc63b34c9583ad/5d2c5/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png","srcSet":"/static/215707898c57c1c20ffc63b34c9583ad/6ba37/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png 512w,\n/static/215707898c57c1c20ffc63b34c9583ad/5d2c5/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png 1000w","srcWebp":"/static/215707898c57c1c20ffc63b34c9583ad/36ebb/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.webp","srcSetWebp":"/static/215707898c57c1c20ffc63b34c9583ad/e4e36/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.webp 512w,\n/static/215707898c57c1c20ffc63b34c9583ad/36ebb/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.webp 1000w","sizes":"(max-width: 1000px) 100vw, 1000px"}},"commentId":"/blog/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate/","tableOfContents":{"items":[{"url":"#why-periodic-pentests-often-miss-what-matters","title":"Why periodic pentests often miss what matters"},{"url":"#continuous-development-needs-security-that-stays-on","title":"Continuous development needs security that stays on"},{"url":"#starting-safely-without-creating-noise","title":"Starting safely without creating noise"},{"url":"#how-hackrate-can-help-you-get-started","title":"How Hackrate can help you get started"}]},"lastModifiedTime":"2026-01-05T09:00:00.000Z","lastModifiedTimeString":"January 05, 2026"},{"id":"66c2cb26-28e3-53da-85a4-96732431949a","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"Ministry of Regional Development of the Czech Republic Launches Public Bug Bounty Program with Hackrate\",\n  \"description\": \"The Ministry of Regional Development of the Czech Republic partners with Hackrate to launch a public bug bounty program—empowering ethical hackers to strengthen national cybersecurity and set a precedent for the European public sector.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2025-07-16T09:00:00.000Z\",\n  \"image\": \"/img/blog/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png\",\n  \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\", \"hackrate\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"We\\u2019re proud to announce that the Ministry of Regional Development of the Czech Republic (MMR) is launching its public bug bounty program on July 16, in partnership with Hackrate.\"), mdx(\"p\", null, \"This marks a significant milestone\\u2014not only for the Ministry but for the broader European public sector. Government institutions rarely open their systems to ethical hackers, but MMR is taking a bold, forward-thinking step to strengthen its cybersecurity posture through crowdsourced security testing.\"), mdx(\"h2\", {\n    \"id\": \"why-a-bug-bounty-program\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-a-bug-bounty-program\",\n    \"aria-label\": \"why a bug bounty program permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why a Bug Bounty Program?\"), mdx(\"p\", null, \"The Ministry operates a diverse range of IT systems that support critical public services. Recognizing the complexity, they\\u2019ve chosen to engage Hackrate\\u2019s global community of ethical hackers to identify and report vulnerabilities before malicious actors can exploit them.\"), mdx(\"p\", null, \"This approach ensures a broad spectrum of expertise and attack perspectives, far beyond what traditional security assessments can offer.\"), mdx(\"h2\", {\n    \"id\": \"how-the-bug-bounty-program-works\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#how-the-bug-bounty-program-works\",\n    \"aria-label\": \"how the bug bounty program works permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"How the Bug Bounty Program Works\"), mdx(\"p\", null, \"MMR\\u2019s program is unmanaged, meaning their internal security team is directly responsible for triaging and validating the vulnerability reports submitted by ethical hackers. This model gives them full control over the process while benefiting from the scale and diversity of the hacker community.\"), mdx(\"p\", null, \"To incentivize high-quality research, the Ministry has committed to awarding up to \\u20AC1000 for valid reports submitted during the testing phase - a strong commitment to meaningful collaboration with the ethical hacking community.\"), mdx(\"h2\", {\n    \"id\": \"a-model-for-public-sector-cybersecurity\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#a-model-for-public-sector-cybersecurity\",\n    \"aria-label\": \"a model for public sector cybersecurity permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"A Model for Public Sector Cybersecurity\"), mdx(\"p\", null, \"At Hackrate, we believe that transparency, collaboration, and continuous testing are essential pillars of modern cybersecurity. The Ministry\\u2019s decision to go public with their bug bounty program sets a powerful example for other government institutions across Europe.\"), mdx(\"p\", null, \"We\\u2019re honored to support this initiative and excited to see the impact of ethical hacking in securing public digital infrastructure.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate/","timeToRead":"2 min read","date":"July 16, 2025","dateString":"July 16, 2025","datePublishedSeoFormat":"2025-07-16","title":"Ministry of Regional Development of the Czech Republic Launches Public Bug Bounty Program with Hackrate","excerpt":"The Ministry of Regional Development of the Czech Republic partners with Hackrate to launch a public bug bounty program—empowering ethical hackers to strengthen national cybersecurity and set a precedent for the European public sector.","tags":["security-testing","ethical-hacking","news","hackrate"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAACHUlEQVQoz22SzU/bQBBH8++3VS+VeuqhoqKVeitVL9BSgQihCQmJ7fhjd722E4dAKPmOA4jD65AECSoOTyOttG9/M7MlT2W0Be8/3CglG0z4u7hnMLsV7lYktiBy5ih3IfUp8xWlts7wX2D9SEpHpNfFPVfzO9JkSdRaoDzBnb/AglKg07VgI1mhO3LW2YhTulcTuuktSmTaK9By8RH1DElobYqWy1b3iOMOJsmJ4o3QrKnXLF7tGtteYiSdaRdSi7V8xWLFKqEOFdX2GbvuPq3GH47LJ7TOGkQ6wZe0zUZKvZJSLVv8xhDTkhnWRfCQ1tnwmFikJdv2efV+hw97rykffmfr4xaftz9x8PuXiENOjwxeI6ElKSsHmubPMY0fU053xpx8HVH7Nub4yxBnf4oNChEGPoGjpYUMHUU4LRfXcfE9F60i3LrCqShqh22aJ32sJ207BbFbPKmLVbWezNBEIVnH0MkNJg5RJhKRPKC1bFVjraZ21KR5aMnCW5ljsSJ+gcSbyZaDgKhpaVekrSNNq6yJA0scJXRsF+Ursjijp8bk3pRutKQT3oj8OYm/JG6NZSlacbzdZfdNj723OfvvzkmcEXksX0UNydWUQVbQtzPOzYxeNKcbzsg3dH15xJ9xaeQfVvuUYiOtakMUGFT4QIwxCYEfMbq64KZYMJ9OmI5GLOYzBskIU7vEVs+xtQt67pC+PyGX2nWv+QesDRAeifNZ2QAAAABJRU5ErkJggg==","aspectRatio":1.78397212543554,"src":"/static/2459a3ea6baa8df39cff580d4b2af5a0/57f38/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png","srcSet":"/static/2459a3ea6baa8df39cff580d4b2af5a0/6ba37/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png 512w,\n/static/2459a3ea6baa8df39cff580d4b2af5a0/57f38/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png 904w","srcWebp":"/static/2459a3ea6baa8df39cff580d4b2af5a0/491d1/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.webp","srcSetWebp":"/static/2459a3ea6baa8df39cff580d4b2af5a0/e4e36/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.webp 512w,\n/static/2459a3ea6baa8df39cff580d4b2af5a0/491d1/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.webp 904w","sizes":"(max-width: 904px) 100vw, 904px"}},"commentId":"/blog/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate/","tableOfContents":{"items":[{"url":"#why-a-bug-bounty-program","title":"Why a Bug Bounty Program?"},{"url":"#how-the-bug-bounty-program-works","title":"How the Bug Bounty Program Works"},{"url":"#a-model-for-public-sector-cybersecurity","title":"A Model for Public Sector Cybersecurity"}]},"lastModifiedTime":"2025-07-16T09:00:00.000Z","lastModifiedTimeString":"July 16, 2025"},{"id":"00f9494e-36e8-589b-b437-0e28ef553904","author":"Levente Molnar","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"Measuring the Success of Bug Bounty Programs: Outdated vs. Modern Approaches\",\n  \"description\": \"Shift from outdated metrics to advanced methods with Hackrate’s HackGATE to monitor the success of your Bug Bounty Programs.\",\n  \"author\": \"Levente Molnar\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2025-03-25T09:00:00.000Z\",\n  \"image\": \"/img/blog/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png\",\n  \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"Bug bounty programs have matured significantly over time, making it evident that traditional methods for evaluating their success are no longer sufficient. To truly understand the impact of a bug bounty program today, organizations must adopt advanced metrics. These metrics should prioritize the severity of vulnerabilities discovered, the quality of researcher interactions, and the insights derived from continuous monitoring.\"), mdx(\"p\", null, mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://www.hckrt.com/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"Hackrate\\u2019s\"), \"  \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://hackgate.io/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"HackGATE\"), \"  offers a transformative approach, equipping organizations with the tools to gain unparalleled control and visibility over their bug bounty programs. This article revisits outdated evaluation techniques and highlights modern strategies that deliver actionable results.\"), mdx(\"h2\", {\n    \"id\": \"outdated-methods-to-gauge-bug-bounty-program-impact\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#outdated-methods-to-gauge-bug-bounty-program-impact\",\n    \"aria-label\": \"outdated methods to gauge bug bounty program impact permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Outdated Methods to Gauge Bug Bounty Program Impact\"), mdx(\"h3\", {\n    \"id\": \"1-counting-bugs-vs-prioritizing-report-quality\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#1-counting-bugs-vs-prioritizing-report-quality\",\n    \"aria-label\": \"1 counting bugs vs prioritizing report quality permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"1. Counting Bugs vs. Prioritizing Report Quality\"), mdx(\"p\", null, \"Early bug bounty programs often measured success by the sheer number of reported vulnerabilities. However, this approach is flawed, as it overlooks the critical factors of severity and relevance.\"), mdx(\"p\", null, \"Similarly, gauging success through the number of payouts can be misleading, as it prioritizes volume over the overall effectiveness of the program. This may result in significant vulnerabilities being overlooked.\"), mdx(\"p\", null, mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"The HackGATE Advantage:\"), \"  HackGATE shifts the focus from quantity to quality by implementing a robust triage system. Security teams can now concentrate on critical insights, such as attack types, severity levels, testing duration, HTTP requests, and functionalities assessed. This refined approach ensures that only impactful vulnerabilities are prioritized, enhancing the overall effectiveness of the bug bounty program.\"), mdx(\"h3\", {\n    \"id\": \"2-number-of-ethical-hackers-vs-their-expertise\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#2-number-of-ethical-hackers-vs-their-expertise\",\n    \"aria-label\": \"2 number of ethical hackers vs their expertise permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"2. Number of Ethical Hackers vs. Their Expertise\"), mdx(\"p\", null, \"Traditionally, the success of a bug bounty program was often linked to the number of participating researchers. However, a larger pool of ethical hackers doesn\\u2019t guarantee better results. The true measure of success lies in the skills and expertise of the participants.\"), mdx(\"p\", null, mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"The HackGATE Advantage:\"), \"  HackGATE gives organizations complete control over their pentest participants, allowing them to invite only the most skilled researchers while keeping unauthorized access at bay. This targeted approach ensures high-quality findings and peace of mind for the organization.\"), mdx(\"h3\", {\n    \"id\": \"3-activity-logs-vs-real-time-insights\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#3-activity-logs-vs-real-time-insights\",\n    \"aria-label\": \"3 activity logs vs real time insights permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"3. Activity Logs vs. Real-Time Insights\"), mdx(\"p\", null, \"Relying solely on log-based monitoring is now an outdated practice. Logs often lack real-time context, making it harder to identify and respond to evolving threats. Analyzing log data retrospectively is also time-consuming and prone to inefficiencies.\"), mdx(\"p\", null, mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"The HackGATE Advantage:\"), \"  HackGATE operates as an autonomous, cloud-based platform, independent of pentesters\\u2019 actions. It identifies attack patterns, logs essential security data, and generates compliance-ready reports in real-time. This transparency enables organizations to maintain robust testing protocols and establish resilient defenses.\"), mdx(\"h3\", {\n    \"id\": \"4-sole-reliance-on-final-pentest-reports\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#4-sole-reliance-on-final-pentest-reports\",\n    \"aria-label\": \"4 sole reliance on final pentest reports permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"4. Sole Reliance on Final Pentest Reports\"), mdx(\"p\", null, \"Placing complete trust in a pentest provider\\u2019s final report can leave organizations vulnerable to incomplete testing or a lack of transparency. Without visibility into the testing process, it\\u2019s difficult to assess the thoroughness of the report or address potential gaps.\"), mdx(\"p\", null, mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"The HackGATE Advantage:\"), \"  HackGATE empowers organizations with a centralized dashboard that offers complete visibility into their bug bounty projects. From monitoring active researchers to analyzing attack types, testing durations, HTTP requests, and rewards, HackGATE ensures organizations have the insights needed to stay in control and make informed decisions.\"), mdx(\"h2\", {\n    \"id\": \"embracing-advanced-metrics-to-elevate-security\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#embracing-advanced-metrics-to-elevate-security\",\n    \"aria-label\": \"embracing advanced metrics to elevate security permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Embracing Advanced Metrics to Elevate Security\"), mdx(\"p\", null, \"As bug bounty programs evolve, it\\u2019s clear that outdated metrics are no longer adequate. Organizations must transition to modern evaluation techniques that:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Prioritize the quality of bug reports over quantity.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Align skilled researchers with program objectives.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Leverage real-time insights for proactive decision-making.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Encourage open communication and transparency throughout the testing process.\")), mdx(\"p\", null, \"Hackrate\\u2019s HackGATE is designed to help organizations achieve these goals, providing a platform that streamlines bug bounty management and delivers actionable insights. By adopting advanced metrics and leveraging innovative tools, organizations can enhance their security posture, adapt to the ever-changing threat landscape, and drive meaningful results from their bug bounty programs.\"), mdx(\"p\", null, \"Ready to transform your bug bounty program? Discover how  \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://www.hckrt.com/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"Hackrate\"), \"  and  \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://hackgate.io/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"HackGATE\"), \"  can elevate your approach to security testing.\"), mdx(\"p\", null, \"Explore the continuous evolution of security solutions with us.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches/","timeToRead":"4 min read","date":"March 25, 2025","dateString":"March 25, 2025","datePublishedSeoFormat":"2025-03-25","title":"Measuring the Success of Bug Bounty Programs: Outdated vs. Modern Approaches","excerpt":"Shift from outdated metrics to advanced methods with Hackrate’s HackGATE to monitor the success of your Bug Bounty Programs.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAACr0lEQVQozyWSzWsTaxSH+8e5EnTtThAUxYV40YXiQsRqahubJpPv5juT6UwmSZtIa2yMtUmtIkSt9yL2SnulM+87pFAFv3Y+98Qufrybl4ffc86ZqoV9JqmGPcoRj6LhkU/Km1Pki4pcVZO1NBlHkW4oksuaREeRWFMYXcVCTzPf1zx8rpkbaKasOZ/llGatOuaROaZjj2m7YwH65AqKxYoiW9OkbU3S1X+ARidgtj0mvKaJCDDyTBMW4OxQgLVZHzuicJMad1FTLwQ45YBcxicr0EzJJ1VVpJaknauI1uVt/cfw9Yjmxh5haXmv6zHzTPFgAjRDHg1DgCmFnVZYWYmoWqJaE9WKrag2Jw0nQJ/yi59s9Z/w44PBen+TwdYrBp9/Yb47ZGaoBHjfoyXKjyoBK9JsuRbQFJAtcZsBSwKz2wFZaZcR7d7KIY/XNnn69jXp9j/0uhv8/vWKYK9GavujAO95OFFFI6NpFARS1jgVzZIpEUB9RaACLLZE1wno/r1LZftfkqOvGNke8elNVkafqO17hLcOjoHWvI8l2pZoV1I+xbRPWjadyngk8x4JmWPc9IjZAYUdRbtjcv3OOrdvWTir23wehWjvjggNxkxVp2WGCflUCmiJcr0kitKwmBdwWTZc9klWfBKmT6wp55LfZ3c1w19np7lyuUhzZ4f970fsfGoRGexNgAe4cUUrL6qyZUe0HfN4ho4bkDcV8ZJHvCYtbYH23nH35kXOnLzD6RNXuXTqLNX6S0JvvhF67jNVEeXi/QPyMwfk5LgX5bgzMdFNiGpakpNIS0OUDUcOuPSe89faXLrV4cINl3M3lnhoDpnrKwGqY2BpRqBzHoV5j1zUIxsXqMwylRVVUZ80jIly1PJYaAQku0cY60fENr4QHX4ltHFIqO//ucX/ATE/sUNAW9P4AAAAAElFTkSuQmCC","aspectRatio":1.78397212543554,"src":"/static/ebc0b01272c5720b97733408619cfb7c/3ba25/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png","srcSet":"/static/ebc0b01272c5720b97733408619cfb7c/6ba37/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png 512w,\n/static/ebc0b01272c5720b97733408619cfb7c/4e530/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png 1024w,\n/static/ebc0b01272c5720b97733408619cfb7c/3ba25/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.png 2000w","srcWebp":"/static/ebc0b01272c5720b97733408619cfb7c/6e77b/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.webp","srcSetWebp":"/static/ebc0b01272c5720b97733408619cfb7c/e4e36/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.webp 512w,\n/static/ebc0b01272c5720b97733408619cfb7c/e0f73/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.webp 1024w,\n/static/ebc0b01272c5720b97733408619cfb7c/6e77b/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches.webp 2000w","sizes":"(max-width: 2000px) 100vw, 2000px"}},"commentId":"/blog/Measuring-the-Success-of-Bug-Bounty-Programs--Outdated-vs-Modern-Approaches/","tableOfContents":{"items":[{"url":"#outdated-methods-to-gauge-bug-bounty-program-impact","title":"Outdated Methods to Gauge Bug Bounty Program Impact","items":[{"url":"#1-counting-bugs-vs-prioritizing-report-quality","title":"1. Counting Bugs vs. Prioritizing Report Quality"},{"url":"#2-number-of-ethical-hackers-vs-their-expertise","title":"2. Number of Ethical Hackers vs. Their Expertise"},{"url":"#3-activity-logs-vs-real-time-insights","title":"3. Activity Logs vs. Real-Time Insights"},{"url":"#4-sole-reliance-on-final-pentest-reports","title":"4. Sole Reliance on Final Pentest Reports"}]},{"url":"#embracing-advanced-metrics-to-elevate-security","title":"Embracing Advanced Metrics to Elevate Security"}]},"lastModifiedTime":"2025-03-25T09:00:00.000Z","lastModifiedTimeString":"March 25, 2025"}],"previous":{"id":"dcbfe952-f30c-57b1-80b8-337571d2160d","author":"Samuele Gugliotta","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"thisclosed_#3\",\n  \"description\": \"Arbitrary File Upload via External Files Feature Allows Client-Side Remote Code Execution\",\n  \"author\": \"Samuele Gugliotta\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-04-14T16:00:00.000Z\",\n  \"image\": \"/img/blog/thisclosed-3-cover.png\",\n  \"draft\": false,\n  \"tags\": [\"bug-bounty\", \"security-testing\", \"ethical-hacking\", \"writeup\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"h2\", {\n    \"id\": \"summary\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#summary\",\n    \"aria-label\": \"summary permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Summary\"), mdx(\"p\", null, \"During an assessment of a web-based platform (hereinafter referred to as \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"[REDACTED]\"), \"), I identified a critical vulnerability in the file upload mechanism exposed through the \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"External Files\"), \" feature within the project dashboard. This feature is designed to allow authenticated users to import supplementary documentation, such as \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".txt\"), \" and \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".md\"), \" files, to enrich project requirements.\"), mdx(\"p\", null, \"The user interface explicitly enforces the following constraints:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"Allowed: .txt, .md files only \\xB7 Max 5 files \\xB7 Max 10KB per file\")), mdx(\"p\", null, \"However, these restrictions exist solely on the client side. The backend performs no validation whatsoever on the file extension, MIME type, or content body. By intercepting the upload request and manipulating the relevant fields, an attacker can submit arbitrary file types, including formats capable of executing code on the client\\u2019s machine upon download and execution. This class of vulnerability is formally catalogued as \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://cwe.mitre.org/data/definitions/434.html\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"CWE-434: Unrestricted Upload of File with Dangerous Type\"), \".\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://cwe.mitre.org/data/images/CWE-434-Diagram.png\",\n    \"alt\": \"CWE-434 Diagram\"\n  })), mdx(\"p\", null, \"To demonstrate the severity of this flaw, I crafted and uploaded a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" file containing an ActiveX-based payload. When downloaded and opened on a Windows system, the file was processed by \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \", launching \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"calc.exe\"), \" as a benign proof of execution. Additional executable formats, including \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".html\"), \" and \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".exe\"), \", were also tested and accepted without restriction.\"), mdx(\"h2\", {\n    \"id\": \"technical-analysis\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#technical-analysis\",\n    \"aria-label\": \"technical analysis permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Technical Analysis\"), mdx(\"h3\", {\n    \"id\": \"upload-mechanism-and-client-side-only-validation-gap\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#upload-mechanism-and-client-side-only-validation-gap\",\n    \"aria-label\": \"upload mechanism and client side only validation gap permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Upload mechanism and client-side-only validation gap\"), mdx(\"p\", null, \"The \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"External Files\"), \" section resides within the project dashboard and serves as a repository for supplementary project documentation. File uploads are dispatched via a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"POST\"), \" request to the following endpoint:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\"\n  }, \"/api/app/uiengine/odata/[REDACTED]/modules/projectDashboard/pages/components/InputsTab/ExternalTools/$batch\\n\")), mdx(\"p\", null, \"The request body is a JSON structure containing file metadata and content:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-json\"\n  }, \"{\\n  \\\"requests\\\": [\\n    {\\n      \\\"method\\\": \\\"POST\\\",\\n      \\\"body\\\": {\\n        \\\"projectId\\\": [REDACTED],\\n        \\\"fileName\\\": \\\"sample.txt\\\",\\n        \\\"fileType\\\": \\\"text/plain\\\",\\n        \\\"uploadData\\\": {\\n          \\\"content\\\": \\\"Lorem Ipsum.\\\",\\n          \\\"uploadDate\\\": \\\"2025-07-15T22:58:51.555Z\\\"\\n        }\\n      },\\n      \\\"id\\\": \\\"86\\\",\\n      \\\"atomicityGroup\\\": \\\"86\\\",\\n      \\\"url\\\": \\\"[REDACTED]\\\"\\n    }\\n  ]\\n}\\n\")), mdx(\"p\", null, \"Three fields govern the upload behavior:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"strong\"\n  }, \"fileName\")), \": determines the displayed name and file extension.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"strong\"\n  }, \"fileType\")), \": declares the MIME type.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"strong\"\n  }, \"uploadData.content\")), \": carries the full file content as a string.\")), mdx(\"p\", null, \"None of these fields undergo server-side sanitization or validation. The backend accepts whatever the client provides, persists the file, and surfaces it in the UI as a downloadable asset. No questions asked.\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://media0.giphy.com/media/v1.Y2lkPTc5MGI3NjExM2Z4eThsNWZ0bHgwcWp0Y2ZmNTUxY3I3NWoybnAxeWQ2aGwzZXhkcyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/CiZ9e5IUPqeVFzc8Mp/giphy.gif\",\n    \"alt\": null\n  })), mdx(\"p\", null, \"This is a textbook instance of misplaced trust in client-side controls. The restrictions visible in the UI (file type allowlist, size cap, file count limit) are enforced entirely within the browser\\u2019s JavaScript context. Any user with a web proxy, or even the browser\\u2019s built-in developer tools, can bypass these constraints trivially. Client-side validation serves a legitimate purpose as a usability layer: it provides immediate feedback and prevents accidental misuse. But it must never be the sole enforcement mechanism for security-relevant constraints. Without a corresponding server-side allowlist that independently verifies the file extension, inspects the MIME type, and ideally validates the content\\u2019s magic bytes against expected signatures, the upload endpoint is functionally unrestricted.\"), mdx(\"h3\", {\n    \"id\": \"exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload\",\n    \"aria-label\": \"exploiting the lack of server side validation to weaponize a hta payload permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Exploiting the lack of server-side validation to weaponize a \", mdx(\"inlineCode\", {\n    parentName: \"h3\"\n  }, \".hta\"), \" payload\"), mdx(\"p\", null, \"The exploitation is, frankly, trivial. By intercepting a legitimate \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".txt\"), \" upload with a web proxy, the attacker gains full control over the JSON payload before it reaches the server. Replacing \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"fileName\"), \" with \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"payload.hta\"), \", \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"fileType\"), \" with \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"application/hta\"), \", and injecting executable HTA markup into \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"uploadData.content\"), \" is all it takes:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-json\"\n  }, \"{\\n  \\\"requests\\\": [\\n    {\\n      \\\"method\\\": \\\"POST\\\",\\n      \\\"body\\\": {\\n        \\\"projectId\\\": [REDACTED],\\n        \\\"fileName\\\": \\\"payload.hta\\\",\\n        \\\"fileType\\\": \\\"application/hta\\\",\\n        \\\"uploadData\\\": {\\n          \\\"content\\\": \\\"<html><head><script>var shell = new ActiveXObject(\\\\\\\"WScript.Shell\\\\\\\");shell.Run(\\\\\\\"calc.exe\\\\\\\");</script></head><body></body></html>\\\",\\n          \\\"uploadDate\\\": \\\"2025-07-15T22:58:51.555Z\\\"\\n        }\\n      },\\n      \\\"id\\\": \\\"86\\\",\\n      \\\"atomicityGroup\\\": \\\"86\\\",\\n      \\\"url\\\": \\\"[REDACTED]\\\"\\n    }\\n  ]\\n}\\n\")), mdx(\"p\", null, \"The upload succeeds. The weaponized \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" file appears in the UI alongside legitimate documents, available for download, waiting for a user to open it.\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://media0.giphy.com/media/v1.Y2lkPTc5MGI3NjExZHI5Z3IxZTVrdTRic2NnbjRuNTczaHVrdzBjdm8weTVyOWRxbXR4ZyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/KF1qNYHUi8wwTNIUUm/giphy.gif\",\n    \"alt\": null\n  })), mdx(\"h3\", {\n    \"id\": \"why-did-i-choose-hta-for-the-poc-here-is-the-rationale\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#why-did-i-choose-hta-for-the-poc-here-is-the-rationale\",\n    \"aria-label\": \"why did i choose hta for the poc here is the rationale permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why did I choose \", mdx(\"inlineCode\", {\n    parentName: \"h3\"\n  }, \".hta\"), \" for the PoC? Here is the rationale\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://imgur.com/SobZxvf.jpeg\",\n    \"alt\": null\n  })), mdx(\"p\", null, \"I chose the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" (HTML Application) format deliberately because of its unique execution model on Windows systems. An HTA file is structurally identical to an HTML document, but it operates under an entirely different trust model. When a user opens an \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" file, Windows delegates execution to \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \" (Microsoft HTML Application Host), a signed, native binary located at \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"C:\\\\Windows\\\\System32\\\\mshta.exe\"), \". Unlike a standard \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".html\"), \" file rendered within a browser\\u2019s sandboxed environment, an HTA executes as a standalone application outside the browser\\u2019s security context. This means it is not subject to Internet Explorer zone restrictions, Protected Mode limitations, or any of the sandboxing controls that browsers impose on web-delivered scripts.\"), mdx(\"p\", null, \"Consequently, scripts embedded in an HTA file run with the full privileges of the current user. They can instantiate COM/ActiveX objects, interact with the Windows Script Host, read and write to the file system, modify the registry, and spawn arbitrary processes. In my proof of concept, the payload leveraged this capability to instantiate a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"WScript.Shell\"), \" ActiveX object and invoke \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"calc.exe\"), \", a standard and benign demonstration of arbitrary command execution.\"), mdx(\"p\", null, \"From an offensive security perspective, \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \" is classified as a \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://lolbas-project.github.io/lolbas/Binaries/Mshta/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"Living off the Land Binary (LOLBin)\"), \", a category of legitimate, vendor-signed system utilities that attackers routinely co-opt to proxy the execution of malicious code. Because \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \" is a trusted Microsoft binary that ships with every Windows installation, its execution blends seamlessly into normal system activity and is far less likely to trigger behavioral heuristics in endpoint detection products. It has its own dedicated entry in the MITRE ATT&CK framework under technique \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://attack.mitre.org/techniques/T1218/005/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"T1218.005 (System Binary Proxy Execution: Mshta)\"), \", and it is actively leveraged by numerous threat actors and malware families in real-world campaigns.\"), mdx(\"p\", null, \"Simple as that.\"), mdx(\"h2\", {\n    \"id\": \"impact\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#impact\",\n    \"aria-label\": \"impact permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Impact\"), mdx(\"p\", null, \"While client-side RCE via \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" serves as the most tangible demonstration of this vulnerability, the underlying risk is systemic. The upload mechanism imposes no server-side restrictions on what enters the platform, which means the \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"External Files\"), \" feature is, in practice, an unrestricted file distribution channel embedded within a trusted interface.\"), mdx(\"p\", null, \"This has two immediate consequences. First, any authenticated user can leverage the feature to deliver executable or otherwise harmful content to anyone who downloads from the same project. Second, in collaborative or multi-user environments, an attacker does not need to phish, redirect, or socially engineer a target through external channels. The payload is already inside the platform, sitting in a shared workspace, served by the application itself.\"), mdx(\"hr\", null), mdx(\"h2\", {\n    \"id\": \"acknowledgements\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#acknowledgements\",\n    \"aria-label\": \"acknowledgements permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Acknowledgements\"), mdx(\"p\", null, \"I would like to thank the Hackrate team for their consistently swift and efficient triage throughout this engagement, and the client\\u2019s security team for their responsiveness in addressing the reported issue. This finding was part of a private bug bounty program on Hackrate that overall resulted in a \\u20AC\\u20AC\\u20AC\\u20AC bounty payout.\"), mdx(\"p\", null, mdx(\"em\", {\n    parentName: \"p\"\n  }, \"venomnis\")));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/thisclosed_3/","timeToRead":"6 min read","date":"April 14, 2026","dateString":"April 14, 2026","datePublishedSeoFormat":"2026-04-14","title":"thisclosed_#3","excerpt":"Arbitrary File Upload via External Files Feature Allows Client-Side Remote Code Execution","tags":["bug-bounty","security-testing","ethical-hacking","writeup"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAIAAADwazoUAAAACXBIWXMAABYlAAAWJQFJUiTwAAACDUlEQVQoz12P3W/SUBjGz7/lhRoo6kTHVzvKMC5sINsoFJhLdJSPReMuR3bjzZgxRt12o4mYGC/GWGCTfXhjQkICYS1N5wAbSrdlCwPqa6vJsHnynF/PeZ/3nBfdIcMGIogR9K2RoIGgVf39xXAaTv8T7OttlMbotj1EPoo9pJ7hbsYxGSe98RFP1DmVINzMeHDB6JyFgivhGeiut/k1RtDJHVoIRZcCkWRgbpFmkk+evwR30S/C8aW7zseD4bDOSkEeAMMDCBaraw5uAwHYvTG40zYewSci4MQEMzT4bAz3Q0wdlkbQ2+J6SsKDJxOEJzo6nXBMJezweG8MAGYZGp2BGqOmB7Pq2DSMA0I6C4VZ/DqTT2+iMDMFoLJPb6ZU9xmsgZtm6obZp+m6afqa0QMOjJJvPjKptVhqLbK8Ch5VGTyRWo+n1udX/mj5ffr16udX/5R6+2nlXRoAbf46JvZzjoM8uZ8DjX3fcRzkhgtZ2LTubd0rZIG3xIaiKL1+Xxn8UPb4yJjbGM5nLNsZUz5zP7+B72x+4NmvAv9FqKV5Nn3E/5AlNaxcjfd6PVSX29uH1d0a+63G7fFcocbucuypLMOxVnnSbv/keY7jBEEol8uVSqVUKhWLxWaziToXF6et1pnUPpdPzmUZdCZJLUnqXF52ut1uv98UxUOWhWS9Xm80GgDVahVaiKL4G1vOd16sYEdlAAAAAElFTkSuQmCC","aspectRatio":1.7777777777777777,"src":"/static/c788c5bd9803c97cfd624ec66ee322f6/0e6e2/thisclosed-3-cover.png","srcSet":"/static/c788c5bd9803c97cfd624ec66ee322f6/6ba37/thisclosed-3-cover.png 512w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/4e530/thisclosed-3-cover.png 1024w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/0e6e2/thisclosed-3-cover.png 1920w","srcWebp":"/static/c788c5bd9803c97cfd624ec66ee322f6/30cf3/thisclosed-3-cover.webp","srcSetWebp":"/static/c788c5bd9803c97cfd624ec66ee322f6/e4e36/thisclosed-3-cover.webp 512w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/e0f73/thisclosed-3-cover.webp 1024w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/30cf3/thisclosed-3-cover.webp 1920w","sizes":"(max-width: 1920px) 100vw, 1920px"}},"commentId":"/blog/thisclosed_3/","tableOfContents":{"items":[{"url":"#summary","title":"Summary"},{"url":"#technical-analysis","title":"Technical Analysis","items":[{"url":"#upload-mechanism-and-client-side-only-validation-gap","title":"Upload mechanism and client-side-only validation gap"},{"url":"#exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload","title":"Exploiting the lack of server-side validation to weaponize a .hta payload"},{"url":"#why-did-i-choose-hta-for-the-poc-here-is-the-rationale","title":"Why did I choose .hta for the PoC? Here is the rationale"}]},{"url":"#impact","title":"Impact"},{"url":"#acknowledgements","title":"Acknowledgements"}]},"lastModifiedTime":"2026-04-14T16:00:00.000Z","lastModifiedTimeString":"April 14, 2026"},"permalink":"https://blog.hckrt.com/blog/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP/"}},"staticQueryHashes":["1209262222","1714442890","2703881467","888479136"]}