{"componentChunkName":"component---src-templates-article-template-js","path":"/blog/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk/","result":{"data":{"allWebMentionEntry":{"edges":[]}},"pageContext":{"article":{"id":"29bd1a79-6828-5a3d-addc-930c8d85e65e","author":"Levente Molnar","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"When an exposed Google Maps key becomes an AI billing risk\",\n  \"description\": \"This article explains why an exposed Google Maps API key may become a serious billing-abuse risk when the same cloud project also has Gemini or other billable AI APIs enabled. It shows what security teams and penetration testers should check to understand the real impact behind an exposed key.\",\n  \"author\": \"Levente Molnar\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-07-13T18:00:00.000Z\",\n  \"image\": \"/img/blog/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk.png\",\n  \"tags\": [\"bug-bounty\", \"ciso\", \"security-testing\", \"ethical-hacking\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"Google Maps API keys were often treated as low-risk because they were expected to appear in frontend JavaScript, mobile apps, and public client-side integrations. That assumption is no longer safe when an old, public, unrestricted API key belongs to a Google Cloud project where Gemini or other billable AI APIs are enabled.\"), mdx(\"p\", null, \"The core risk is simple: an exposed Maps key can become a direct billing-abuse credential if attackers can use it to consume expensive AI services.\"), mdx(\"h2\", {\n    \"id\": \"why-exposed-google-api-keys-need-a-second-look\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-exposed-google-api-keys-need-a-second-look\",\n    \"aria-label\": \"why exposed google api keys need a second look permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why exposed Google API keys need a second look\"), mdx(\"p\", null, \"For years, Google Maps API keys were handled differently from traditional secrets.\"), mdx(\"p\", null, \"They appeared in websites, mobile applications, documentation, landing pages, no-code tools, CMS templates, and public repositories. This was not always considered a serious exposure. Many teams understood the key as a project identifier used for quota and billing, not as a password.\"), mdx(\"p\", null, \"That view is now incomplete.\"), mdx(\"p\", null, \"The issue is not only that the key is visible. The issue is what the key can do today. A key created years ago for a basic Maps integration may still be active, while the Google Cloud project behind it may have changed. New APIs may have been enabled. Billing may be connected. Ownership may be unclear. Monitoring may be weak.\"), mdx(\"p\", null, \"AI APIs make this more serious because abuse can scale quickly. Attackers do not need to steal customer data, deploy malware, or compromise infrastructure to cause damage. They can simply generate billable requests.\"), mdx(\"p\", null, \"This changes how security teams should assess exposed Google API keys. The finding should not stop at \\u201CGoogle API key exposed.\\u201D The real question is whether the key can call expensive services.\"), mdx(\"h2\", {\n    \"id\": \"the-old-assumption-maps-keys-are-public-anyway\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#the-old-assumption-maps-keys-are-public-anyway\",\n    \"aria-label\": \"the old assumption maps keys are public anyway permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"The old assumption: Maps keys are public anyway\"), mdx(\"p\", null, \"Many developers learned that some Google API keys are expected to be exposed in client-side code. A website needs to load a map, the browser needs to call Google Maps services, and the key becomes visible in JavaScript.\"), mdx(\"p\", null, \"That created a common assumption:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"\\u201CThis key is public anyway, so it is not a real secret.\\u201D\")), mdx(\"p\", null, \"In a narrow context, that assumption made sense. A properly restricted browser key, limited to the required Maps APIs and valid only from approved referrers, has limited impact if exposed.\"), mdx(\"p\", null, \"But many real-world keys are not properly restricted.\"), mdx(\"p\", null, \"Some have no API restrictions. Some have weak referrer rules. Some are reused across applications. Some were created for old marketing sites or mobile apps and then forgotten. Some belong to cloud projects where new services were enabled later.\"), mdx(\"p\", null, \"This is where the risk changes. The key may still look like a Maps key to the developer, but to an attacker it may be a usable credential for other APIs in the same project.\"), mdx(\"h2\", {\n    \"id\": \"how-gemini-changes-the-risk-model\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#how-gemini-changes-the-risk-model\",\n    \"aria-label\": \"how gemini changes the risk model permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"How Gemini changes the risk model\"), mdx(\"p\", null, \"The critical relationship is between three things:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"The API key\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"The APIs enabled in the Google Cloud project\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"The restrictions applied to that key\")), mdx(\"p\", null, \"If an API key is unrestricted, it may be usable against more than the service it was originally created for. If Gemini or another usage-based AI API is enabled in the same project, the old key may potentially be used to generate AI requests.\"), mdx(\"p\", null, \"The dangerous sequence looks like this:\"), mdx(\"ol\", null, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"A company creates a Google API key for Maps.\"), mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"The key is embedded in a website, app, or frontend bundle.\"), mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Months or years later, Gemini or another billable AI API is enabled in the same Google Cloud project.\"), mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"The old key remains unrestricted or poorly restricted.\"), mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Attackers find the key through scanning, scraping, reverse engineering, or leaked repositories.\"), mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"The key is tested against AI endpoints.\"), mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"If it works, attackers automate usage.\"), mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"The company receives the bill.\")), mdx(\"p\", null, \"The important point is not that every exposed Maps key can call Gemini. The important point is that security teams must verify the actual permissions and restrictions.\"), mdx(\"p\", null, \"A public key with strong API restrictions and correct application restrictions is a different risk from a public key that can call every enabled API in the project.\"), mdx(\"h2\", {\n    \"id\": \"financial-impact-is-part-of-technical-impact\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#financial-impact-is-part-of-technical-impact\",\n    \"aria-label\": \"financial impact is part of technical impact permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Financial impact is part of technical impact\"), mdx(\"p\", null, \"Credential exposure is already a security issue. With usage-based AI services, the business impact can become immediate and measurable.\"), mdx(\"p\", null, \"An attacker abusing an AI-capable API key may be able to:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Generate large volumes of AI requests\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Use expensive models or large context windows\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Exhaust quotas needed by legitimate users\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Create unexpected cloud bills\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Disrupt services during billing or quota issues\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Trigger emergency response across engineering, finance, legal, and management\")), mdx(\"p\", null, \"For smaller companies, this can become a serious business continuity problem. For larger organizations, it can still create an incident involving unexpected spend, customer impact, forensic review, and difficult provider discussions.\"), mdx(\"p\", null, \"Budget alerts are useful, but they are often misunderstood. A budget alert is usually a warning, not a hard stop. By the time the alert reaches the right person, significant cost may already have accumulated.\"), mdx(\"p\", null, \"Spend caps and billing controls reduce potential financial exposure, but they do not make exposed keys safe. The primary controls are still least privilege, project separation, key restrictions, disabled unused APIs, and active monitoring.\"), mdx(\"h2\", {\n    \"id\": \"why-attackers-care\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-attackers-care\",\n    \"aria-label\": \"why attackers care permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why attackers care\"), mdx(\"p\", null, \"Exposed AI-capable API keys are attractive because they are easy to find, easy to test, and easy to monetize.\"), mdx(\"p\", null, \"Attackers do not always abuse cloud credentials only for their own use. Compromised API keys, cloud accounts, AI credits, and usage capacity can be converted into cheap AI access or resold in grey and criminal markets.\"), mdx(\"p\", null, \"The economics are straightforward:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"The victim pays the real cloud bill.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"The attacker sells access or output at a discount.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"The buyer receives cheap AI usage.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"The cloud provider sees valid API calls.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"The victim discovers the loss later.\")), mdx(\"p\", null, \"This can lead to automated, high-volume consumption designed to extract value before the key is restricted or disabled. The abuse may not look like one person manually testing a key. It may look like distributed usage, sudden traffic spikes, unusual model consumption, or quota exhaustion.\"), mdx(\"h2\", {\n    \"id\": \"why-organizations-miss-the-risk\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-organizations-miss-the-risk\",\n    \"aria-label\": \"why organizations miss the risk permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why organizations miss the risk\"), mdx(\"p\", null, \"The most dangerous API keys are often not the newest ones. They are legacy keys created for forgotten integrations and never reviewed after the cloud project changed.\"), mdx(\"p\", null, \"Common weaknesses include:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Old Google Maps keys still active in production\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Keys embedded in frontend JavaScript\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Keys embedded in mobile apps\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Keys committed to public or private repositories\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Keys reused across multiple applications\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"No API restrictions\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Weak or missing application restrictions\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Maps, Firebase, Gemini, and other APIs enabled in the same project\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"No clear owner for legacy cloud projects\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Budget alerts without hard enforcement\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"No monitoring by key and API\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"No regular review of enabled services\")), mdx(\"p\", null, \"This is why exposed-key findings need impact validation. The useful question is not only \\u201CIs the key public?\\u201D The useful question is \\u201CWhat can someone do with it?\\u201D\"), mdx(\"h2\", {\n    \"id\": \"what-security-teams-should-do\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-security-teams-should-do\",\n    \"aria-label\": \"what security teams should do permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What security teams should do\"), mdx(\"h3\", {\n    \"id\": \"1-inventory-all-google-api-keys\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#1-inventory-all-google-api-keys\",\n    \"aria-label\": \"1 inventory all google api keys permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"1. Inventory all Google API keys\"), mdx(\"p\", null, \"Start with a full inventory across Google Cloud projects, Google Maps Platform, Firebase, web applications, mobile apps, repositories, CI/CD systems, documentation, CMS templates, no-code tools, marketing sites, and demos.\"), mdx(\"p\", null, \"Do not only review the cloud console. Find where the keys are actually exposed.\"), mdx(\"h3\", {\n    \"id\": \"2-treat-client-side-keys-as-public\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#2-treat-client-side-keys-as-public\",\n    \"aria-label\": \"2 treat client side keys as public permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"2. Treat client-side keys as public\"), mdx(\"p\", null, \"A key used in frontend JavaScript or a mobile app should be considered exposed. JavaScript can be inspected. Mobile apps can be reverse engineered. Browser requests can be captured. Repositories can be indexed.\"), mdx(\"p\", null, \"The question is not whether someone can find the key. Assume they can.\"), mdx(\"p\", null, \"The question is what the key allows after discovery.\"), mdx(\"h3\", {\n    \"id\": \"3-enforce-api-restrictions\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#3-enforce-api-restrictions\",\n    \"aria-label\": \"3 enforce api restrictions permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"3. Enforce API restrictions\"), mdx(\"p\", null, \"Every key should be limited to the specific APIs it needs.\"), mdx(\"p\", null, \"A Maps key should not be able to call Gemini. A Firebase-related key should not automatically work against unrelated services. A production key should not have broad access to every API enabled in the project.\"), mdx(\"p\", null, \"API restrictions are one of the strongest controls because they limit damage even if the key is exposed.\"), mdx(\"h3\", {\n    \"id\": \"4-enforce-application-restrictions\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#4-enforce-application-restrictions\",\n    \"aria-label\": \"4 enforce application restrictions permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"4. Enforce application restrictions\"), mdx(\"p\", null, \"Application restrictions should match the use case:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"HTTP referrer restrictions for browser-based usage\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Android package name and certificate restrictions for Android apps\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"iOS bundle ID restrictions for iOS apps\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"IP address restrictions for server-side usage\")), mdx(\"p\", null, \"Avoid broad wildcard referrers and mixed-use keys. A key that works everywhere can be abused from anywhere.\"), mdx(\"h3\", {\n    \"id\": \"5-separate-public-services-from-ai-services\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#5-separate-public-services-from-ai-services\",\n    \"aria-label\": \"5 separate public services from ai services permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"5. Separate public services from AI services\"), mdx(\"p\", null, \"Public client-side Maps usage and Gemini workloads should not share the same project unless there is a clear, documented reason.\"), mdx(\"p\", null, \"A safer structure is:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"One project for public Maps and client-side integrations\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"A separate project for Gemini and AI workloads\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Separate keys, billing controls, monitoring and owners\")), mdx(\"p\", null, \"Project separation reduces the chance that a legacy frontend key becomes an AI billing credential.\"), mdx(\"h3\", {\n    \"id\": \"6-disable-unused-apis-and-delete-stale-keys\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#6-disable-unused-apis-and-delete-stale-keys\",\n    \"aria-label\": \"6 disable unused apis and delete stale keys permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"6. Disable unused APIs and delete stale keys\"), mdx(\"p\", null, \"If a project does not need Gemini, disable Gemini.\"), mdx(\"p\", null, \"If a project does not need a specific Maps API, disable it.\"), mdx(\"p\", null, \"If a key is unused, delete it after reviewing usage and migration impact. Stale keys should not remain active because \\u201Csomething might still use them.\\u201D\"), mdx(\"h3\", {\n    \"id\": \"7-monitor-by-key-api-and-cost\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#7-monitor-by-key-api-and-cost\",\n    \"aria-label\": \"7 monitor by key api and cost permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"7. Monitor by key, API, and cost\"), mdx(\"p\", null, \"Project-level spend monitoring is not enough.\"), mdx(\"p\", null, \"Security and cloud teams should monitor:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Which key is calling which API\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"New APIs used by old keys\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Gemini usage from keys intended for Maps\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Sudden request spikes\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Unexpected regions\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Unusual time-of-day patterns\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Rapid quota consumption\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Cost anomalies by service and project\")), mdx(\"p\", null, \"A useful alert should not only say \\u201Ccloud spend increased.\\u201D It should say \\u201Ca Maps key started making Gemini API calls.\\u201D\"), mdx(\"h3\", {\n    \"id\": \"8-treat-exposed-unrestricted-keys-as-compromised\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#8-treat-exposed-unrestricted-keys-as-compromised\",\n    \"aria-label\": \"8 treat exposed unrestricted keys as compromised permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"8. Treat exposed unrestricted keys as compromised\"), mdx(\"p\", null, \"If an unrestricted key has been public, assume it may already be collected by scanners.\"), mdx(\"p\", null, \"The response should include:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Restricting or disabling the key\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Rotating credentials\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Reviewing logs\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Checking historical usage\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Verifying enabled APIs\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Investigating cost anomalies\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Reviewing whether AI-related resources were accessible\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Documenting the incident and business impact\")), mdx(\"p\", null, \"Rotation alone is not enough if the replacement key has the same permissions.\"), mdx(\"h2\", {\n    \"id\": \"what-penetration-testers-should-validate\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-penetration-testers-should-validate\",\n    \"aria-label\": \"what penetration testers should validate permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What penetration testers should validate\"), mdx(\"p\", null, \"For penetration testers, the value is in proving impact responsibly.\"), mdx(\"p\", null, \"A report that only says \\u201CGoogle API key exposed\\u201D may be technically correct, but it may not help the customer understand business risk. The stronger assessment explains what the key can actually do.\"), mdx(\"p\", null, \"Useful validation questions include:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Is the key restricted?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Which APIs can it call?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Can it call Gemini or another billable AI API?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Is it exposed in frontend code or a mobile app?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Is the same project used for AI workloads?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Could an attacker generate billable usage?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Could legitimate quotas be exhausted?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Would monitoring detect the abuse?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Are spend controls hard limits or only alerts?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Is there an incident response path for billing abuse?\")), mdx(\"p\", null, \"This turns a generic cloud hygiene issue into a business-relevant security finding.\"), mdx(\"h2\", {\n    \"id\": \"how-hackrate-helps\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#how-hackrate-helps\",\n    \"aria-label\": \"how hackrate helps permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"How Hackrate helps\"), mdx(\"p\", null, \"Hackrate helps organizations validate the real impact behind exposed credentials.\"), mdx(\"p\", null, \"A scanner can identify a leaked or public API key. That is only the starting point. Security teams need to understand whether the key is harmless, restricted, misconfigured, or business-critical.\"), mdx(\"p\", null, \"Through traditional penetration testing and continuous security testing, Hackrate helps teams answer the questions that matter: what can the key access, what can it cost, how quickly could it be abused, and whether the organization would detect it in time.\"), mdx(\"p\", null, \"A key that once looked like a low-risk Maps identifier may become a path to expensive AI infrastructure if it is public, unrestricted, and connected to a project where Gemini or other billable APIs are enabled.\"), mdx(\"p\", null, \"Attackers understand this. They scan for keys, test them, automate abuse, and monetize stolen cloud usage. Organizations should not wait for a surprise invoice.\"), mdx(\"hr\", null), mdx(\"p\", null, mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://www.hckrt.com\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"Hackrate\"), \" helps organizations assess these risks through expert-led penetration testing, cloud security review, attack surface management, and continuous security testing.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk/","timeToRead":"11 min read","date":"July 13, 2026","dateString":"July 13, 2026","datePublishedSeoFormat":"2026-07-13","title":"When an exposed Google Maps key becomes an AI billing risk","excerpt":"This article explains why an exposed Google Maps API key may become a serious billing-abuse risk when the same cloud project also has Gemini or other billable AI APIs enabled. It shows what security teams and penetration testers should check to understand the real impact behind an exposed key.","tags":["bug-bounty","ciso","security-testing","ethical-hacking"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAC0ElEQVQoz0WTSW8jVRRG/VvYIFghduyALWJBwzYIMSTpJHaSsqvKY8p24jh2PMVJueL2mKYz0CskJJAgdux4HspxlCC1hFqsWdASv+Bwg7rF4urpPekdnfu++xzRjSt23C2iyhURpUnELavniqjeIuJvE966xoh22NrtEkr2CGb6BA4G+M0BvuMh3vIIvTZGezpBPZviiCktDiJ9qjmbSm7KiTmjfGBjCNgQ6FagTdBoE9ju4I938e138ef6+I4EJkC9NEIToCpAz+kER9R5RTrQJRPqkfR1SPqlAh32gh12jS7xWI94ckAsNSCaHRDJj/CLofdI6ljsSuP/gQ+G284mlfSUcmqKtTfGio+wkmNq5g1WfkqlPKdQnGGWb6hd3FM8v8Ob7aGLoS6Gmhiq1TGeN8AdMaxlbOq5GYXYiHpeLgu0fjyneGhTfTLnuDjHqsw5rMzIVG8JyPkDULMGaGUxPLFRn9m4/wOuNSknJ5wczKiIZTExoZR5eMMWAV8LzbjGE/oN7/Y14cyM77QLPl/M4remeJ/M2LR6OM0GrlIH9/kMR2S5QXyjxa5USu8Qd7eJaZKup8uqq85yqkao/5L11C9sBH7lk0ff8PFHH7Cgn7G684wvAyU+dZl8FX+O+sMtjvBSE2PxkvBSA2NJ1lXZrzcJq12UlVPW18sE0+eoxikLj6u8+977vP3OW3z4yIU3/Zx88jNW9G/5ev8n3Bc3Alx8ADZeQy8xHjcIrDTwu5poG02UzUuB/own2ELfabOwZvLFYoqV7R9RpW0tXUTPWdJyD+XMlrFZbmH5X1AKvaTg/YPv9/7kfvI3v9tSs1fc2694cfcPw8FfModDgtkbQuYtXlOCKIxQSncotXvcT202JRhHRAzjaz0SzgFxZ5+EZ0ghMcXcn3Ik4eQl/cOjG7Iy8N7dPlqih5rqo8oseswR7uIQRX7LZn2KIsB/Aa3hZB/X+psaAAAAAElFTkSuQmCC","aspectRatio":1.7902097902097902,"src":"/static/67f70e67081bffb7c4b13e032890540a/e79ac/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk.png","srcSet":"/static/67f70e67081bffb7c4b13e032890540a/6ba37/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk.png 512w,\n/static/67f70e67081bffb7c4b13e032890540a/4e530/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk.png 1024w,\n/static/67f70e67081bffb7c4b13e032890540a/e79ac/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk.png 1501w","srcWebp":"/static/67f70e67081bffb7c4b13e032890540a/ab1c1/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk.webp","srcSetWebp":"/static/67f70e67081bffb7c4b13e032890540a/e4e36/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk.webp 512w,\n/static/67f70e67081bffb7c4b13e032890540a/e0f73/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk.webp 1024w,\n/static/67f70e67081bffb7c4b13e032890540a/ab1c1/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk.webp 1501w","sizes":"(max-width: 1501px) 100vw, 1501px"}},"commentId":"/blog/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk/","tableOfContents":{"items":[{"url":"#why-exposed-google-api-keys-need-a-second-look","title":"Why exposed Google API keys need a second look"},{"url":"#the-old-assumption-maps-keys-are-public-anyway","title":"The old assumption: Maps keys are public anyway"},{"url":"#how-gemini-changes-the-risk-model","title":"How Gemini changes the risk model"},{"url":"#financial-impact-is-part-of-technical-impact","title":"Financial impact is part of technical impact"},{"url":"#why-attackers-care","title":"Why attackers care"},{"url":"#why-organizations-miss-the-risk","title":"Why organizations miss the risk"},{"url":"#what-security-teams-should-do","title":"What security teams should do","items":[{"url":"#1-inventory-all-google-api-keys","title":"1. Inventory all Google API keys"},{"url":"#2-treat-client-side-keys-as-public","title":"2. Treat client-side keys as public"},{"url":"#3-enforce-api-restrictions","title":"3. Enforce API restrictions"},{"url":"#4-enforce-application-restrictions","title":"4. Enforce application restrictions"},{"url":"#5-separate-public-services-from-ai-services","title":"5. Separate public services from AI services"},{"url":"#6-disable-unused-apis-and-delete-stale-keys","title":"6. Disable unused APIs and delete stale keys"},{"url":"#7-monitor-by-key-api-and-cost","title":"7. Monitor by key, API, and cost"},{"url":"#8-treat-exposed-unrestricted-keys-as-compromised","title":"8. Treat exposed unrestricted keys as compromised"}]},{"url":"#what-penetration-testers-should-validate","title":"What penetration testers should validate"},{"url":"#how-hackrate-helps","title":"How Hackrate helps"}]},"lastModifiedTime":"2026-07-13T18:00:00.000Z","lastModifiedTimeString":"July 13, 2026"},"authors":[{"bio":"CTO & Founder of HACKRATE Ltd. \nLevente lives in a world of zeros and ones. He is an active bug hunter, successfully reported bugs to US DoD, Adobe, Logitech, BMW, Sony, and other big enterprises. As an IT Security Engineer, he planned, implemented, and managed various IT security solutions. He worked on international projects in Kuwait and Oman as an ethical hacker.\n","id":"e8877f2b-beda-591f-97b8-cda4b6994d86","name":"Levente Molnar","featured":true,"twitter":"@hackrate","slug":"lmolnar","avatar":{"small":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAGAABAQEBAQAAAAAAAAAAAAAAAAUDBAL/xAAWAQEBAQAAAAAAAAAAAAAAAAABAgD/2gAMAwEAAhADEAAAAbvFpyDXeSRNCiiJ3//EABwQAAICAgMAAAAAAAAAAAAAAAECAAMEERASMv/aAAgBAQABBQJjpaHZuLrgkxz0gOwx27GVef/EABQRAQAAAAAAAAAAAAAAAAAAACD/2gAIAQMBAT8BH//EABQRAQAAAAAAAAAAAAAAAAAAACD/2gAIAQIBAT8BH//EAB0QAAICAQUAAAAAAAAAAAAAAAERABACEiFRYYH/2gAIAQEABj8CJgZb6paTlN6B5ntf/8QAHBAAAgICAwAAAAAAAAAAAAAAAREAMSFBEJGh/9oACAEBAAE/IURYDh7Dg9FwwcLIEStgUtQbhClbIuEA6QvU/9oADAMBAAIAAwAAABDoCD//xAAXEQEBAQEAAAAAAAAAAAAAAAABEQAQ/9oACAEDAQE/EBI3pv/EABgRAQADAQAAAAAAAAAAAAAAAAEAEBEx/9oACAECAQE/EEdMoj2f/8QAHhABAAIDAAIDAAAAAAAAAAAAAQAhETFBEGFR8PH/2gAIAQEAAT8QYYKwPcE2T2zY2Y9b8dPOsKaxLs8C0Wr6yzePZGk/NSldFviIv60T/9k=","aspectRatio":1,"src":"/static/3ded567688ed3bf49be9f20a381d2573/00991/levente-molnar.jpg","srcSet":"/static/3ded567688ed3bf49be9f20a381d2573/8696d/levente-molnar.jpg 16w,\n/static/3ded567688ed3bf49be9f20a381d2573/547ef/levente-molnar.jpg 32w,\n/static/3ded567688ed3bf49be9f20a381d2573/00991/levente-molnar.jpg 64w,\n/static/3ded567688ed3bf49be9f20a381d2573/0b461/levente-molnar.jpg 96w,\n/static/3ded567688ed3bf49be9f20a381d2573/7d668/levente-molnar.jpg 128w,\n/static/3ded567688ed3bf49be9f20a381d2573/25252/levente-molnar.jpg 400w","srcWebp":"/static/3ded567688ed3bf49be9f20a381d2573/282c5/levente-molnar.webp","srcSetWebp":"/static/3ded567688ed3bf49be9f20a381d2573/302d4/levente-molnar.webp 16w,\n/static/3ded567688ed3bf49be9f20a381d2573/97620/levente-molnar.webp 32w,\n/static/3ded567688ed3bf49be9f20a381d2573/282c5/levente-molnar.webp 64w,\n/static/3ded567688ed3bf49be9f20a381d2573/5a4e0/levente-molnar.webp 96w,\n/static/3ded567688ed3bf49be9f20a381d2573/e28f0/levente-molnar.webp 128w,\n/static/3ded567688ed3bf49be9f20a381d2573/fc32b/levente-molnar.webp 400w","sizes":"(max-width: 64px) 100vw, 64px"},"medium":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAGAABAQEBAQAAAAAAAAAAAAAAAAUDBAL/xAAWAQEBAQAAAAAAAAAAAAAAAAABAgD/2gAMAwEAAhADEAAAAbvFpyDXeSRNCiiJ3//EABwQAAICAgMAAAAAAAAAAAAAAAECAAMEERASMv/aAAgBAQABBQJjpaHZuLrgkxz0gOwx27GVef/EABQRAQAAAAAAAAAAAAAAAAAAACD/2gAIAQMBAT8BH//EABQRAQAAAAAAAAAAAAAAAAAAACD/2gAIAQIBAT8BH//EAB0QAAICAQUAAAAAAAAAAAAAAAERABACEiFRYYH/2gAIAQEABj8CJgZb6paTlN6B5ntf/8QAHBAAAgICAwAAAAAAAAAAAAAAAREAMSFBEJGh/9oACAEBAAE/IURYDh7Dg9FwwcLIEStgUtQbhClbIuEA6QvU/9oADAMBAAIAAwAAABDoCD//xAAXEQEBAQEAAAAAAAAAAAAAAAABEQAQ/9oACAEDAQE/EBI3pv/EABgRAQADAQAAAAAAAAAAAAAAAAEAEBEx/9oACAECAQE/EEdMoj2f/8QAHhABAAIDAAIDAAAAAAAAAAAAAQAhETFBEGFR8PH/2gAIAQEAAT8QYYKwPcE2T2zY2Y9b8dPOsKaxLs8C0Wr6yzePZGk/NSldFviIv60T/9k=","aspectRatio":1,"src":"/static/3ded567688ed3bf49be9f20a381d2573/7d668/levente-molnar.jpg","srcSet":"/static/3ded567688ed3bf49be9f20a381d2573/547ef/levente-molnar.jpg 32w,\n/static/3ded567688ed3bf49be9f20a381d2573/00991/levente-molnar.jpg 64w,\n/static/3ded567688ed3bf49be9f20a381d2573/7d668/levente-molnar.jpg 128w,\n/static/3ded567688ed3bf49be9f20a381d2573/3e5eb/levente-molnar.jpg 192w,\n/static/3ded567688ed3bf49be9f20a381d2573/d64b1/levente-molnar.jpg 256w,\n/static/3ded567688ed3bf49be9f20a381d2573/25252/levente-molnar.jpg 400w","srcWebp":"/static/3ded567688ed3bf49be9f20a381d2573/e28f0/levente-molnar.webp","srcSetWebp":"/static/3ded567688ed3bf49be9f20a381d2573/97620/levente-molnar.webp 32w,\n/static/3ded567688ed3bf49be9f20a381d2573/282c5/levente-molnar.webp 64w,\n/static/3ded567688ed3bf49be9f20a381d2573/e28f0/levente-molnar.webp 128w,\n/static/3ded567688ed3bf49be9f20a381d2573/a278a/levente-molnar.webp 192w,\n/static/3ded567688ed3bf49be9f20a381d2573/b42dd/levente-molnar.webp 256w,\n/static/3ded567688ed3bf49be9f20a381d2573/fc32b/levente-molnar.webp 400w","sizes":"(max-width: 128px) 100vw, 128px"},"large":{"base64":"data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAUABQDASIAAhEBAxEB/8QAGAABAQEBAQAAAAAAAAAAAAAAAAUDBAL/xAAWAQEBAQAAAAAAAAAAAAAAAAABAgD/2gAMAwEAAhADEAAAAbvFpyDXeSRNCiiJ3//EABwQAAICAgMAAAAAAAAAAAAAAAECAAMEERASMv/aAAgBAQABBQJjpaHZuLrgkxz0gOwx27GVef/EABQRAQAAAAAAAAAAAAAAAAAAACD/2gAIAQMBAT8BH//EABQRAQAAAAAAAAAAAAAAAAAAACD/2gAIAQIBAT8BH//EAB0QAAICAQUAAAAAAAAAAAAAAAERABACEiFRYYH/2gAIAQEABj8CJgZb6paTlN6B5ntf/8QAHBAAAgICAwAAAAAAAAAAAAAAAREAMSFBEJGh/9oACAEBAAE/IURYDh7Dg9FwwcLIEStgUtQbhClbIuEA6QvU/9oADAMBAAIAAwAAABDoCD//xAAXEQEBAQEAAAAAAAAAAAAAAAABEQAQ/9oACAEDAQE/EBI3pv/EABgRAQADAQAAAAAAAAAAAAAAAAEAEBEx/9oACAECAQE/EEdMoj2f/8QAHhABAAIDAAIDAAAAAAAAAAAAAQAhETFBEGFR8PH/2gAIAQEAAT8QYYKwPcE2T2zY2Y9b8dPOsKaxLs8C0Wr6yzePZGk/NSldFviIv60T/9k=","aspectRatio":1,"src":"/static/3ded567688ed3bf49be9f20a381d2573/ec46e/levente-molnar.jpg","srcSet":"/static/3ded567688ed3bf49be9f20a381d2573/a2637/levente-molnar.jpg 82w,\n/static/3ded567688ed3bf49be9f20a381d2573/15203/levente-molnar.jpg 164w,\n/static/3ded567688ed3bf49be9f20a381d2573/ec46e/levente-molnar.jpg 328w,\n/static/3ded567688ed3bf49be9f20a381d2573/25252/levente-molnar.jpg 400w","srcWebp":"/static/3ded567688ed3bf49be9f20a381d2573/5a48e/levente-molnar.webp","srcSetWebp":"/static/3ded567688ed3bf49be9f20a381d2573/2d087/levente-molnar.webp 82w,\n/static/3ded567688ed3bf49be9f20a381d2573/29d87/levente-molnar.webp 164w,\n/static/3ded567688ed3bf49be9f20a381d2573/5a48e/levente-molnar.webp 328w,\n/static/3ded567688ed3bf49be9f20a381d2573/fc32b/levente-molnar.webp 400w","sizes":"(max-width: 328px) 100vw, 328px"}}}],"relatedArticles":[{"id":"885c79c4-cb2b-5f09-82bf-d8863e4ef8e8","author":"Levente Molnar","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"Hackrate Ranked 1st in Hungary and 22nd Globally at Hack The Box’s Global Cyber Skills Benchmark 2026\",\n  \"description\": \"Hackrate achieved 1st place in Hungary, 9th in Europe, and 22nd globally at Hack The Box’s Global Cyber Skills Benchmark 2026, competing against 589 corporate teams worldwide.\",\n  \"author\": \"Levente Molnar\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-05-29T09:00:00.000Z\",\n  \"image\": \"/img/blog/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-1.png\",\n  \"tags\": [\"security-testing\", \"ethical-hacking\", \"hackrate\", \"news\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"Cybersecurity does not really have a \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"World Cup for companies\"), \".\"), mdx(\"p\", null, \"There are conferences, certifications, vendor awards, customer references, analyst reports, and countless marketing claims. But there are very few moments where hundreds of corporate cybersecurity teams from around the world sit down at the same time, face the same technical challenges, and compete under the same pressure.\"), mdx(\"p\", null, \"The \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"Hack The Box Global Cyber Skills Benchmark 2026\"), \" is one of those rare moments.\"), mdx(\"p\", null, \"This year, \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://www.hckrt.com\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"Hackrate\"), \" participated in Hack The Box\\u2019s annual Global Cyber Skills Benchmark competition, and our team achieved a result we are extremely proud of:\"), mdx(\"h2\", {\n    \"id\": \"hackrates-results\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#hackrates-results\",\n    \"aria-label\": \"hackrates results permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Hackrate\\u2019s Results\"), mdx(\"blockquote\", null, mdx(\"table\", {\n    parentName: \"blockquote\"\n  }, mdx(\"thead\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"thead\"\n  }, mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Ranking\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": \"right\"\n  }, \"Result\"))), mdx(\"tbody\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"\\uD83C\\uDDED\\uD83C\\uDDFA Hungary\"), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": \"right\"\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"1st place\"))), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"\\uD83C\\uDDEA\\uD83C\\uDDFA Europe\"), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": \"right\"\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"9th place\"))), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"\\uD83C\\uDF0D Global\"), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": \"right\"\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"22nd place\")))))), mdx(\"center\", null, mdx(\"p\", null, mdx(\"span\", {\n    parentName: \"p\",\n    \"className\": \"gatsby-resp-image-wrapper\",\n    \"style\": {\n      \"position\": \"relative\",\n      \"display\": \"block\",\n      \"marginLeft\": \"auto\",\n      \"marginRight\": \"auto\",\n      \"maxWidth\": \"622px\"\n    }\n  }, \"\\n      \", mdx(\"span\", {\n    parentName: \"span\",\n    \"className\": \"gatsby-resp-image-background-image\",\n    \"style\": {\n      \"paddingBottom\": \"129.58333333333334%\",\n      \"position\": \"relative\",\n      \"bottom\": \"0\",\n      \"left\": \"0\",\n      \"backgroundImage\": \"url('data:image/jpeg;base64,/9j/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhCY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wgARCAAaABQDASIAAhEBAxEB/8QAGAABAAMBAAAAAAAAAAAAAAAAAAEDBAX/xAAWAQEBAQAAAAAAAAAAAAAAAAAAAQP/2gAMAwEAAhADEAAAAeROjTnOOsaFmdBCv//EABwQAAICAgMAAAAAAAAAAAAAAAECAAMQEQQTIf/aAAgBAQABBQJELw1sMcceMGBsGrFdlnY03jeP/8QAFBEBAAAAAAAAAAAAAAAAAAAAIP/aAAgBAwEBPwEf/8QAGBEAAgMAAAAAAAAAAAAAAAAAARESICH/2gAIAQIBAT8BM3lP/8QAHxAAAQMDBQAAAAAAAAAAAAAAAAECMREgoSEiMmFx/9oACAEBAAY/AtG5F25IK9irWcDvSVQ5Ot//xAAdEAEAAwACAwEAAAAAAAAAAAABABEhMUFRkeHw/9oACAEBAAE/IRMGs6zVDK9o89Ipx01/e541hAAszpCKDXeR+1FKvMtzWW8sW5//2gAMAwEAAgADAAAAEIjrvv/EABURAQEAAAAAAAAAAAAAAAAAACAh/9oACAEDAQE/EKP/xAAZEQADAAMAAAAAAAAAAAAAAAAAAREhMUH/2gAIAQIBAT8QasYFovSn/8QAIBABAQADAAIBBQAAAAAAAAAAAREAITFRYYFBcZGh8P/aAAgBAQABPxBjbVWli8+HJi6gbPUCddP4wuhp0m+5I2CxutS3+6yIbrNSCM13r7wiwTvXxgHnYoXz+jGhNX343FS1U2uTIDXn3iK/W7vuMqqvtz//2Q==')\",\n      \"backgroundSize\": \"cover\",\n      \"display\": \"block\"\n    }\n  }), \"\\n  \", mdx(\"picture\", {\n    parentName: \"span\"\n  }, \"\\n          \", mdx(\"source\", {\n    parentName: \"picture\",\n    \"srcSet\": [\"/static/f3327c6214453a891145e7be4ddb7932/42669/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-2.webp 480w\", \"/static/f3327c6214453a891145e7be4ddb7932/461c2/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-2.webp 622w\"],\n    \"sizes\": \"(max-width: 622px) 100vw, 622px\",\n    \"type\": \"image/webp\"\n  }), \"\\n          \", mdx(\"source\", {\n    parentName: \"picture\",\n    \"srcSet\": [\"/static/f3327c6214453a891145e7be4ddb7932/55489/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-2.jpg 480w\", \"/static/f3327c6214453a891145e7be4ddb7932/d5ded/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-2.jpg 622w\"],\n    \"sizes\": \"(max-width: 622px) 100vw, 622px\",\n    \"type\": \"image/jpeg\"\n  }), \"\\n          \", mdx(\"img\", {\n    parentName: \"picture\",\n    \"className\": \"gatsby-resp-image-image\",\n    \"src\": \"/static/f3327c6214453a891145e7be4ddb7932/d5ded/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-2.jpg\",\n    \"alt\": \"Hackrate Ranked 1st in Hungary and 22nd Globally at Hack The Boxs Global Cyber Skills Benchmark 2026 2\",\n    \"title\": \"Hackrate Ranked 1st in Hungary and 22nd Globally at Hack The Boxs Global Cyber Skills Benchmark 2026 2\",\n    \"loading\": \"lazy\",\n    \"style\": {\n      \"width\": \"100%\",\n      \"height\": \"100%\",\n      \"margin\": \"0\",\n      \"verticalAlign\": \"middle\",\n      \"position\": \"absolute\",\n      \"top\": \"0\",\n      \"left\": \"0\"\n    }\n  }), \"\\n        \"), \"\\n    \"))), mdx(\"p\", null, \"In total, \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"589 corporate teams\"), \" took part in the competition, including teams from some of the world\\u2019s most recognized technology, consulting, finance, and cybersecurity organizations.\"), mdx(\"p\", null, \"For Hackrate, finishing \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"22nd globally\"), \" was a powerful validation of the technical depth, persistence, and teamwork inside our company.\"), mdx(\"p\", null, \"My initial goal was simple:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"Finish in the \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"top 10%\"), \".\")), mdx(\"p\", null, \"That alone would have been a strong result in a competition of this scale.\"), mdx(\"p\", null, \"Instead, the team finished in the \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"top 5% worldwide\"), \".\"), mdx(\"p\", null, \"That went far beyond my expectations.\"), mdx(\"h2\", {\n    \"id\": \"what-is-the-global-cyber-skills-benchmark\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-is-the-global-cyber-skills-benchmark\",\n    \"aria-label\": \"what is the global cyber skills benchmark permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What Is the Global Cyber Skills Benchmark?\"), mdx(\"p\", null, \"The \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"Hack The Box Global Cyber Skills Benchmark\"), \" is a global Capture The Flag competition designed specifically for business teams.\"), mdx(\"p\", null, \"It gives companies a practical way to measure their cybersecurity readiness against other organizations from around the world.\"), mdx(\"p\", null, \"The 2026 edition, named \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"Project Nightfall\"), \", ran from \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"May 15 to May 20, 2026\"), \". It brought together corporate teams for a multi-day, hands-on competition built around realistic cybersecurity scenarios.\"), mdx(\"p\", null, \"This was not a narrow or traditional CTF focused only on one technical area.\"), mdx(\"p\", null, \"The competition covered a broad range of security domains:\"), mdx(\"table\", null, mdx(\"thead\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"thead\"\n  }, mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Category\"), mdx(\"th\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"What It Tested\"))), mdx(\"tbody\", {\n    parentName: \"table\"\n  }, mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Web Security\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Application vulnerabilities, exploitation logic, and real-world web attack paths\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Reversing\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Understanding compiled logic, hidden behavior, and software internals\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Pwn\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Binary exploitation, memory corruption, and low-level attack techniques\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Forensics\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Investigation, artifact analysis, and reconstruction of security events\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Cryptography\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Weak implementations, flawed assumptions, and cryptographic reasoning\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Blockchain\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Smart contract and decentralized system security\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Hardware\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Low-level analysis and device-related security thinking\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Machines\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Infrastructure compromise, enumeration, and privilege escalation\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Cloud\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Identity, permissions, services, and cloud-native attack paths\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"ICS\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Industrial systems and operational technology security\")), mdx(\"tr\", {\n    parentName: \"tbody\"\n  }, mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, mdx(\"strong\", {\n    parentName: \"td\"\n  }, \"Coding\")), mdx(\"td\", {\n    parentName: \"tr\",\n    \"align\": null\n  }, \"Problem-solving, automation, scripting, and logic-based challenges\")))), mdx(\"p\", null, \"The storyline behind \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"Project Nightfall\"), \" was also very relevant to the world we live in today.\"), mdx(\"p\", null, \"Hack The Box framed the scenario around:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"nation-state cyber warfare,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"shared dependencies,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"critical infrastructure,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"virtualization stacks,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"identity providers,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"supplier ecosystems,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and covert interference.\")), mdx(\"p\", null, \"In other words, this was not just about solving puzzles.\"), mdx(\"p\", null, \"It was about testing how well teams can:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"think,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"collaborate,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"investigate,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"exploit,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"adapt,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and persist across a wide range of real-world offensive and defensive security problems.\")), mdx(\"h2\", {\n    \"id\": \"why-this-result-matters-to-us\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-this-result-matters-to-us\",\n    \"aria-label\": \"why this result matters to us permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why This Result Matters to Us\"), mdx(\"p\", null, \"At Hackrate, we spend every day working with companies that want to understand and improve their real security posture.\"), mdx(\"p\", null, \"We provide:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"penetration testing,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"continuous security testing,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"managed vulnerability disclosure programs,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"bug bounty services,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and security testing management through HackGATE.\")), mdx(\"p\", null, \"Our work is not theoretical.\"), mdx(\"p\", null, \"Our customers rely on us to identify real vulnerabilities, validate risks, guide remediation, and help them build stronger security programs.\"), mdx(\"p\", null, \"That is why this result matters.\"), mdx(\"p\", null, \"A competition like the Global Cyber Skills Benchmark is not a sales award. It is not based on a slide deck, a nomination, or a marketing campaign.\"), mdx(\"p\", null, \"It is based on \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"technical performance\"), \".\"), mdx(\"p\", null, \"The team had to solve difficult challenges under time pressure. They had to divide work effectively. They had to move across different domains. They had to recognize patterns, test assumptions, write scripts, debug, reverse engineer, analyze artifacts, exploit weaknesses, and keep going when the first idea did not work.\"), mdx(\"p\", null, \"That is very close to the mindset required in real offensive security work.\"), mdx(\"p\", null, \"Of course, no CTF can perfectly reproduce a customer engagement. Real penetration testing also requires:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"communication,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"scoping,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"reporting,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"business context,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"responsible handling of sensitive systems,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and clear remediation guidance.\")), mdx(\"p\", null, \"But the core technical mindset is similar:\"), mdx(\"p\", null, \" Find the weak point.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"Understand the system.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"Question assumptions.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"Move carefully but quickly.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"Validate evidence.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"Document what matters.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"Keep learning.\"), mdx(\"p\", null, \"Those are the same principles we bring to our customers every day.\"), mdx(\"h2\", {\n    \"id\": \"competing-against-global-cybersecurity-teams\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#competing-against-global-cybersecurity-teams\",\n    \"aria-label\": \"competing against global cybersecurity teams permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Competing Against Global Cybersecurity Teams\"), mdx(\"p\", null, \"One of the most exciting parts of the Global Cyber Skills Benchmark is the field of participants.\"), mdx(\"p\", null, \"This year\\u2019s competition included hundreds of companies, including teams from globally recognized organizations such as:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"NVIDIA,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Accenture,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Cisco,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Deloitte,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"KPMG,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"GitHub,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"PayPal,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"JPMorgan,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Microsoft,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and many others.\")), mdx(\"p\", null, \"For a Hungarian cybersecurity company, competing in such a global environment is already meaningful.\"), mdx(\"p\", null, \"Ranking \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"22nd globally\"), \" makes it even more special.\"), mdx(\"p\", null, \"We are especially proud that Hackrate finished ahead of several internationally known organizations. Not because cybersecurity should be treated only as a scoreboard, but because these benchmarks give smaller and more focused teams the chance to prove themselves through direct technical performance.\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"In cybersecurity, reputation matters.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"But skill matters more.\")), mdx(\"p\", null, \"And in a competition like this, there is nowhere to hide behind brand size, headcount, or market visibility.\"), mdx(\"p\", null, \"The challenges are there.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"The leaderboard is there.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"The team either solves them or does not.\"), mdx(\"p\", null, \"Hackrate\\u2019s result shows that our team can compete at an international level with some of the strongest organizations in the industry.\"), mdx(\"h2\", {\n    \"id\": \"a-broad-test-of-real-cyber-skills\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#a-broad-test-of-real-cyber-skills\",\n    \"aria-label\": \"a broad test of real cyber skills permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"A Broad Test of Real Cyber Skills\"), mdx(\"p\", null, \"Modern cybersecurity is no longer a single-discipline field.\"), mdx(\"p\", null, \"A strong team cannot rely only on web application security. Or only on infrastructure. Or only on cloud. Or only on binary exploitation.\"), mdx(\"p\", null, \"The reality of today\\u2019s attack surface is much more complex.\"), mdx(\"p\", null, \"Companies depend on:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"cloud platforms,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"identity providers,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"SaaS tools,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"APIs,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"third-party suppliers,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"CI/CD pipelines,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"mobile applications,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"internal networks,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"legacy systems,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"industrial systems,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and increasingly AI-assisted workflows.\")), mdx(\"p\", null, \"Attackers do not respect organizational boundaries, and they do not limit themselves to one technical category.\"), mdx(\"p\", null, \"That is why the breadth of the Global Cyber Skills Benchmark is important.\"), mdx(\"p\", null, \"The 2026 competition included challenges across areas that reflect the complexity of real environments:\"), mdx(\"p\", null, \"Web challenges tested the ability to identify and exploit application-level weaknesses.\"), mdx(\"p\", null, \"Reversing challenges required understanding compiled logic, hidden behavior, and how software actually works beneath the surface.\"), mdx(\"p\", null, \"Pwn challenges demanded low-level exploitation thinking, memory corruption knowledge, and precision.\"), mdx(\"p\", null, \"Forensics challenges tested investigation skills, artifact analysis, and the ability to reconstruct what happened from limited evidence.\"), mdx(\"p\", null, \"Cryptography challenges required mathematical thinking and the ability to spot weak implementations or flawed assumptions.\"), mdx(\"p\", null, \"Blockchain challenges reflected the growing importance of smart contract and decentralized system security.\"), mdx(\"p\", null, \"Hardware and ICS challenges brought attention to areas that are increasingly relevant as critical infrastructure, IoT, and operational technology become more connected.\"), mdx(\"p\", null, \"Cloud and machine-based challenges tested the kind of infrastructure and identity-related thinking that modern attackers often exploit in real incidents.\"), mdx(\"h2\", {\n    \"id\": \"why-diversity-of-challenges-matters\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-diversity-of-challenges-matters\",\n    \"aria-label\": \"why diversity of challenges matters permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why Diversity of Challenges Matters\"), mdx(\"p\", null, \"This diversity matters because a real security team must be able to move between domains.\"), mdx(\"p\", null, \"A vulnerability rarely announces itself in the exact category where you expect it.\"), mdx(\"p\", null, \"Good security work often starts with uncertainty.\"), mdx(\"p\", null, \"You may begin with a web application and end up investigating identity permissions. You may start with a cloud service and discover a vulnerable internal integration. You may analyze a log file and uncover an attack path that depends on business logic, infrastructure design, and weak operational controls.\"), mdx(\"p\", null, \"The ability to stay effective in uncertainty is one of the most valuable skills a security team can have.\"), mdx(\"p\", null, \"That is what this benchmark tested.\"), mdx(\"p\", null, \"And that is why the result matters.\"), mdx(\"h2\", {\n    \"id\": \"teamwork-under-pressure\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#teamwork-under-pressure\",\n    \"aria-label\": \"teamwork under pressure permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Teamwork Under Pressure\"), mdx(\"p\", null, \"A multi-day CTF is not only a test of individual talent.\"), mdx(\"p\", null, \"It is also a test of teamwork.\"), mdx(\"p\", null, \"When there are many challenges open at the same time, the team has to make constant decisions:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Which challenge should we prioritize?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Who has the strongest background for this category?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"When should we continue pushing, and when should we switch?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Which partial findings should be shared with others?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"How do we avoid duplicating work?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"How do we keep momentum when a challenge blocks us for hours?\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"How do we stay focused over several days?\")), mdx(\"p\", null, \"These questions are very familiar from real security projects.\"), mdx(\"p\", null, \"In penetration testing, red teaming, and vulnerability research, technical ability is only one part of success.\"), mdx(\"p\", null, \"The other part is coordination.\"), mdx(\"p\", null, \"Strong teams:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"communicate clearly,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"share context,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"avoid tunnel vision,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"challenge each other\\u2019s assumptions,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and know when to ask for a second pair of eyes.\")), mdx(\"p\", null, \"This competition rewarded that kind of teamwork.\"), mdx(\"p\", null, \"The Hackrate team showed not only technical skill, but also persistence and discipline.\"), mdx(\"p\", null, \"Everyone contributed.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"Everyone pushed.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"And the final result reflects the collective strength of the team.\"), mdx(\"h2\", {\n    \"id\": \"the-role-of-ai-it-did-not-kill-the-game-it-raised-the-bar\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#the-role-of-ai-it-did-not-kill-the-game-it-raised-the-bar\",\n    \"aria-label\": \"the role of ai it did not kill the game it raised the bar permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"The Role of AI: It Did Not Kill the Game. It Raised the Bar.\"), mdx(\"p\", null, \"One of the most interesting parts of this year\\u2019s competition was the role of AI.\"), mdx(\"p\", null, \"AI usage among top teams was clearly on another level.\"), mdx(\"p\", null, \"Before the competition, there was a reasonable concern that AI might make this kind of event less meaningful.\"), mdx(\"p\", null, \"If models can summarize logs, explain code, generate scripts, and suggest approaches, does that reduce the value of human technical skill?\"), mdx(\"p\", null, \"After the competition, my conclusion is the opposite.\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"AI did not kill the game.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"It raised the bar.\")), mdx(\"p\", null, \"Hack The Box allowed AI-assisted workflows in a controlled hybrid mode, while keeping the focus on human-led reasoning.\"), mdx(\"p\", null, \"That distinction is important.\"), mdx(\"p\", null, \"Using AI as a co-pilot can speed up analysis, generate ideas, explain unfamiliar syntax, help with scripting, and reduce repetitive work.\"), mdx(\"p\", null, \"But it does not replace the need to understand what is happening.\"), mdx(\"p\", null, \"It does not remove the need for judgment.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"It does not magically solve ambiguous, multi-step technical problems without human direction.\"), mdx(\"p\", null, \"In fact, AI may make strong teams even stronger because it rewards those who know how to:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"ask the right questions,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"validate outputs,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"recognize hallucinations,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"connect partial findings,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and turn suggestions into working solutions.\")), mdx(\"p\", null, \"The best teams were not simply \\u201Cusing AI.\\u201D\"), mdx(\"p\", null, \"They were integrating it into their workflow intelligently.\"), mdx(\"p\", null, \"This is very similar to what is happening in the broader cybersecurity industry.\"), mdx(\"p\", null, \"AI is changing how security work is done. It can accelerate:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"research,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"analysis,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"triage,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"reporting,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"detection engineering,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"scripting,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and development.\")), mdx(\"p\", null, \"But it also increases the expectations placed on security professionals.\"), mdx(\"p\", null, \"If everyone has access to better tools, then the differentiator becomes how well a team can use those tools.\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"The future of cybersecurity will not be human-only or AI-only.\", mdx(\"br\", {\n    parentName: \"p\"\n  }), \"\\n\", \"It will be human expertise amplified by AI.\")), mdx(\"p\", null, \"Competitions like the Global Cyber Skills Benchmark are starting to show what that future looks like.\"), mdx(\"h2\", {\n    \"id\": \"why-benchmarks-like-this-are-valuable-for-companies\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-benchmarks-like-this-are-valuable-for-companies\",\n    \"aria-label\": \"why benchmarks like this are valuable for companies permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why Benchmarks Like This Are Valuable for Companies\"), mdx(\"p\", null, \"Many organizations struggle to measure cybersecurity capability.\"), mdx(\"p\", null, \"They may know:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"how many tools they have,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"how many alerts they receive,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"how many policies they maintain,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"how many training modules employees completed,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"or how many vulnerabilities were reported in the last quarter.\")), mdx(\"p\", null, \"But those metrics do not always answer the most important question:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"Can the team actually solve difficult security problems under pressure?\")), mdx(\"p\", null, \"A hands-on benchmark provides a different kind of signal.\"), mdx(\"p\", null, \"It shows how people perform when the answer is not given in advance. It reveals strengths and weaknesses across technical domains. It encourages learning through challenge. It creates a shared experience for the team. It gives leadership a more practical view of capability than passive training alone.\"), mdx(\"p\", null, \"That is why we believe these kinds of competitions are valuable not only for offensive security companies, but for any organization that wants to build real cyber resilience.\"), mdx(\"p\", null, \"Cybersecurity readiness is not created by documentation alone.\"), mdx(\"p\", null, \"It is built through:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"practice,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"exposure,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"repetition,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"feedback,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and continuous improvement.\")), mdx(\"p\", null, \"A team that regularly tests itself becomes sharper.\"), mdx(\"h2\", {\n    \"id\": \"what-this-says-about-hackrate\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-this-says-about-hackrate\",\n    \"aria-label\": \"what this says about hackrate permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What This Says About Hackrate\"), mdx(\"p\", null, \"For us, this result confirms something we already believed:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"Hackrate has a highly capable, hands-on technical team.\")), mdx(\"p\", null, \"But it also reminds us that capability must be maintained.\"), mdx(\"p\", null, \"Cybersecurity changes constantly.\"), mdx(\"p\", null, \"New attack techniques appear. Platforms evolve. Cloud architectures become more complex. Identity becomes more central. AI changes both attacker and defender workflows. Regulations change. Customer expectations rise.\"), mdx(\"p\", null, \"A result like this is not the end of the journey.\"), mdx(\"p\", null, \"It is a snapshot.\"), mdx(\"p\", null, \"It shows where we stood during one demanding global benchmark in May 2026. It gives us confidence, but it also gives us motivation to keep improving.\"), mdx(\"p\", null, \"That mindset is important to us.\"), mdx(\"p\", null, \"We do not want to be a company that relies only on past experience. We want to be a team that keeps testing itself, keeps learning, and keeps raising the level of what we deliver to customers.\"), mdx(\"p\", null, \"This is exactly the mindset behind Hackrate\\u2019s services and HackGATE as well.\"), mdx(\"p\", null, \"Security testing should not be treated as a one-time checkbox.\"), mdx(\"p\", null, \"It should be:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"continuous,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"measurable,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"controlled,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and connected to real risk.\")), mdx(\"p\", null, \"Organizations need visibility into:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"what is being tested,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"what has been found,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"what has been fixed,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and where exposure still exists.\")), mdx(\"h2\", {\n    \"id\": \"a-proud-moment-for-the-team\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#a-proud-moment-for-the-team\",\n    \"aria-label\": \"a proud moment for the team permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"A Proud Moment for the Team\"), mdx(\"p\", null, \"This achievement belongs to the whole Hackrate team.\"), mdx(\"p\", null, \"Finishing \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"1st in Hungary\"), \", \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"9th in Europe\"), \", and \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"22nd globally\"), \" among hundreds of corporate teams is a result we are genuinely proud of.\"), mdx(\"p\", null, \"It reflects:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"technical depth,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"persistence,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"teamwork,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"curiosity,\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"and the kind of hands-on offensive security mindset we bring to customer projects every day.\")), mdx(\"p\", null, \"We are proud to represent Hungary on the global cybersecurity stage.\"), mdx(\"p\", null, \"We are also proud that Hackrate could stand alongside, and ahead of, many internationally recognized organizations in a competition based on real technical performance.\"), mdx(\"p\", null, \"Congratulations to everyone involved.\"), mdx(\"p\", null, \"And thank you to Hack The Box for organizing a benchmark that gives corporate teams a meaningful way to test themselves against the world.\"), mdx(\"p\", null, \"For Hackrate, this was more than a competition.\"), mdx(\"p\", null, \"It was a reminder of why we do what we do:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"Helping organizations understand their real security posture, improve continuously, and build resilience through practical, hands-on expertise.\")), mdx(\"p\", null, \"The scoreboard was one moment.\"), mdx(\"p\", null, \"The mindset continues every day.\"), mdx(\"hr\", null), mdx(\"p\", null, \"Want to strengthen your digital defenses? Or receive a thorough assessment of your cybersecurity posture?\"), mdx(\"p\", null, \"Get in touch with \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://www.hckrt.com/Home/RequestADemo\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"us\"), \". Our team is always happy to chat\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026/","timeToRead":"13 min read","date":"May 29, 2026","dateString":"May 29, 2026","datePublishedSeoFormat":"2026-05-29","title":"Hackrate Ranked 1st in Hungary and 22nd Globally at Hack The Box’s Global Cyber Skills Benchmark 2026","excerpt":"Hackrate achieved 1st place in Hungary, 9th in Europe, and 22nd globally at Hack The Box’s Global Cyber Skills Benchmark 2026, competing against 589 corporate teams worldwide.","tags":["security-testing","ethical-hacking","hackrate","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAIAAACgpqunAAAACXBIWXMAAAsTAAALEwEAmpwYAAADGElEQVQozxXPyW8bVQDH8SF248T2zNizvXmzet6b1bN6Hzt2bMdJ3MrQJoWWVBSplSoECEThQJVIbFKl9hD1EMAKUQ+IiJCSqgJRDpXKgf8MI/2un6/0IxiIynqV1H1GckgekWolr0rLIlziYF7mi76HP90fzU+3Tn4XDw7ztTVONRiolYBElgBh9zeMRgt6gf32HZC0V0SF1o1S4NHYWAkj+MlB67N9zgxmj44mj49XOxMQxHY7dBoBh3gCbE2jsHqlE/gffWluXyvIWsn3KcspIhN1R53374ndMUuVmclOcuNuMpqx2A2H1XjsB9uQ4B1DqVRUx5W6fSmpak0PdxpyHMJG3W3VB6N178qOoGJSrKC469T6tGwB25Qd2x2KBIeVckXlk4i1LDTA6V5r471bwXRjbfctYVHpdUd7t5mKnWOA4tRbw2nQGlIAFzjDWgNEVoA5GQpx8uiH+cnZs/tH829+Pn1ydv7g++Pv5id3vn6YVfEbJY4oC5KVxOlEMuMibxRZ5A4BsarKWVHKSeoHDw5+unhx9OrfJ3+/fnz+4uFfrw+fv5x9fpBB7hIrECVBMILm+lR2G6sCIjnkLHDZ0EuakYXS+vV3np49O/7t4tdX//z4/M/7v1wcnp6j8WWCFTILTHMAhThIJRSSwCxyKNoyiBUBkFCiNJUOYrbX47pt9saeMJtx08tUFF/C3hIvLgEtL2q6XXPiLqc4FEAUb8VTm/h4/4t7335FuQEhSJdkjY5rhahWCOKcptOmmTGcfLpd2HwX3LqLkp6d9EiAadEqQy/ctIn5yz/aN2/b3cG438iLEhXWCthu7lwtqmr85rX81Q9xOoSWm4tSlI4rQQqMSMEJJ1f/x8nuzSwtxI365mQIkZkThGVByHIgU+Ks3oRtrst+xEOVUUzNbXq1gRWkfn0gqGG4ZRNaukaLut7sVK/vUpXKMs+Xkc4nSR6ZGQYyyOWwDbGHvbZuN2QUsbJLQ4uRHcV3CBIsqgolyctQzwogxzJsFcN+Ny9VFt8kVFVwjIKaFdesqIX9JjCqvO4sxijOf0XyoJwz1HweAAAAAElFTkSuQmCC","aspectRatio":1.4143646408839778,"src":"/static/9b0d101e2e6dbfda52fbb1746473b90a/d0c75/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-1.png","srcSet":"/static/9b0d101e2e6dbfda52fbb1746473b90a/6ba37/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-1.png 512w,\n/static/9b0d101e2e6dbfda52fbb1746473b90a/4e530/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-1.png 1024w,\n/static/9b0d101e2e6dbfda52fbb1746473b90a/d0c75/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-1.png 1527w","srcWebp":"/static/9b0d101e2e6dbfda52fbb1746473b90a/ce160/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-1.webp","srcSetWebp":"/static/9b0d101e2e6dbfda52fbb1746473b90a/e4e36/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-1.webp 512w,\n/static/9b0d101e2e6dbfda52fbb1746473b90a/e0f73/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-1.webp 1024w,\n/static/9b0d101e2e6dbfda52fbb1746473b90a/ce160/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026-1.webp 1527w","sizes":"(max-width: 1527px) 100vw, 1527px"}},"commentId":"/blog/Hackrate-Ranked-1st-in-Hungary-and-22nd-Globally-at-Hack-The-Boxs-Global-Cyber-Skills-Benchmark-2026/","tableOfContents":{"items":[{"url":"#hackrates-results","title":"Hackrate’s Results"},{"url":"#what-is-the-global-cyber-skills-benchmark","title":"What Is the Global Cyber Skills Benchmark?"},{"url":"#why-this-result-matters-to-us","title":"Why This Result Matters to Us"},{"url":"#competing-against-global-cybersecurity-teams","title":"Competing Against Global Cybersecurity Teams"},{"url":"#a-broad-test-of-real-cyber-skills","title":"A Broad Test of Real Cyber Skills"},{"url":"#why-diversity-of-challenges-matters","title":"Why Diversity of Challenges Matters"},{"url":"#teamwork-under-pressure","title":"Teamwork Under Pressure"},{"url":"#the-role-of-ai-it-did-not-kill-the-game-it-raised-the-bar","title":"The Role of AI: It Did Not Kill the Game. It Raised the Bar."},{"url":"#why-benchmarks-like-this-are-valuable-for-companies","title":"Why Benchmarks Like This Are Valuable for Companies"},{"url":"#what-this-says-about-hackrate","title":"What This Says About Hackrate"},{"url":"#a-proud-moment-for-the-team","title":"A Proud Moment for the Team"}]},"lastModifiedTime":"2026-05-29T09:00:00.000Z","lastModifiedTimeString":"May 29, 2026"},{"id":"094e664a-1bcc-5567-a9db-11b19238ae67","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"CRA-ready vulnerability disclosure with Hackrate managed VDP\",\n  \"description\": \"This article looks at how organizations can start preparing their vulnerability disclosure handling for the Cyber Resilience Act, and how Hackrate managed VDP can support that work. It may be useful for teams that want a clearer, more structured way to manage external vulnerability reports.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-05-15T09:00:00.000Z\",\n  \"image\": \"/img/blog/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png\",\n  \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"The Cyber Resilience Act makes vulnerability handling a regulated product security process for manufacturers of products with digital elements. Hackrate managed VDP helps organizations build a clear external reporting channel before CRA deadlines arrive.\"), mdx(\"h2\", {\n    \"id\": \"why-vulnerability-disclosure-matters-under-the-cra\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-vulnerability-disclosure-matters-under-the-cra\",\n    \"aria-label\": \"why vulnerability disclosure matters under the cra permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why vulnerability disclosure matters under the CRA\"), mdx(\"p\", null, \"The Cyber Resilience Act, Regulation (EU) 2024/2847, introduces cybersecurity requirements for products with digital elements placed on the EU market. It applies to a broad range of software and hardware products, including connected products, applications, embedded systems, and certain remote data processing components. The CRA entered into force on 10 December 2024. Its main obligations apply from 11 December 2027, while Article 14 reporting obligations apply earlier, from 11 September 2026.\"), mdx(\"p\", null, \"For manufacturers, the practical message is simple: vulnerability handling becomes part of product compliance.\"), mdx(\"p\", null, \"The CRA does not only ask whether a product was secure when it was released. It expects manufacturers to handle vulnerabilities during the product support period. This includes receiving vulnerability information, assessing technical impact, taking corrective or mitigating measures, documenting the process, and escalating reports that may trigger regulatory reporting.\"), mdx(\"p\", null, \"A Vulnerability Disclosure Program is one of the most practical ways to establish this capability. It gives external researchers, ethical hackers, customers, partners, and other third parties a clear way to report security issues. But for CRA readiness, a VDP must be more than a policy page. It must be connected to validation, remediation, documentation, and decision-making.\"), mdx(\"p\", null, \"A vulnerability disclosure policy, a responsible disclosure program, and coordinated vulnerability disclosure describe the same basic operating model: an external party reports a vulnerability to the organization and the organization validates and remediates the issue. In this article, VDP is used as the practical term for that.\"), mdx(\"p\", null, \"There are 2 dates that matter for vulnerability disclosure planning.\"), mdx(\"p\", null, \"11 September 2026 is when Article 14 reporting obligations start to apply. From this date, manufacturers must report actively exploited vulnerabilities contained in products with digital elements and severe incidents that affect the security of those products.\"), mdx(\"p\", null, \"11 December 2027 is when the main CRA obligations apply. This includes the wider product conformity framework and the vulnerability handling requirements in Annex I.\"), mdx(\"h2\", {\n    \"id\": \"the-operational-problem-companies-need-to-solve\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#the-operational-problem-companies-need-to-solve\",\n    \"aria-label\": \"the operational problem companies need to solve permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"The operational problem companies need to solve\"), mdx(\"p\", null, \"Many organizations still rely on a security email address, informal contacts, support tickets, or fragmented internal workflows to receive vulnerability information.\"), mdx(\"p\", null, \"That model is weak for CRA readiness.\"), mdx(\"p\", null, \"A mailbox can receive a report, but it does not create a controlled vulnerability handling process. It does not define what information researchers should submit. It does not validate whether the report is real. It does not filter spam, duplicates, incomplete submissions, or non-security issues. It does not assess exploitability or product impact. It does not automatically create evidence for compliance teams.\"), mdx(\"p\", null, \"This is the gap Hackrate managed VDP is designed to close.\"), mdx(\"h2\", {\n    \"id\": \"what-a-cra-ready-vulnerability-disclosure-process-should-do\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-a-cra-ready-vulnerability-disclosure-process-should-do\",\n    \"aria-label\": \"what a cra ready vulnerability disclosure process should do permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What a CRA-ready vulnerability disclosure process should do\"), mdx(\"p\", null, \"A CRA-ready process should support the full path from external report to internal decision.\"), mdx(\"p\", null, \"It should help the organization:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Receive vulnerability reports through a clear channel.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Collect the technical information needed for triage.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Validate whether the report is relevant, in scope, understandable, and technically credible.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Assess potential impact, exploitability, and prioritization.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Communicate professionally with the external reporter.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Provide internal teams with actionable technical information.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Support escalation to security, product, engineering, legal, and compliance teams.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Preserve a traceable record of intake, validation, communication, assessment, remediation input, and closure.\")), mdx(\"p\", null, \"This is where a managed VDP becomes valuable. It turns external vulnerability reporting from an unmanaged intake point into a controlled workflow.\"), mdx(\"h2\", {\n    \"id\": \"how-hackrate-managed-vdp-helps\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#how-hackrate-managed-vdp-helps\",\n    \"aria-label\": \"how hackrate managed vdp helps permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"How Hackrate managed VDP helps\"), mdx(\"p\", null, \"Hackrate managed VDP combines the Hackrate Ethical Hacking Platform with managed vulnerability report handling by Hackrate security experts. The service focuses on external vulnerability reports submitted by ethical hackers, researchers, or other external parties. The platform can also support centralized vulnerability management and report tracking where the customer wants to use it for that purpose.\"), mdx(\"p\", null, \"Hackrate helps in six practical areas.\"), mdx(\"ol\", null, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Structured external vulnerability intake: Hackrate provides a professional reporting channel where external parties can submit vulnerability reports in a structured format.\")), mdx(\"p\", null, \"The reporting form can be linked from the customer\\u2019s website, security page, or vulnerability disclosure policy page. This gives researchers a clear entry point and helps the customer avoid fragmented reporting through support or unmonitored mailboxes.\"), mdx(\"p\", null, \"A structured report can capture key information such as the affected product, affected asset or component, technical description, reproduction steps, evidence, potential impact, and suggested mitigation. This improves the quality of the submission. This matters because early clarity saves time.\"), mdx(\"ol\", {\n    \"start\": 2\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Report validation and filtering: Hackrate reviews external submissions before they reach the customer\\u2019s internal teams.\")), mdx(\"p\", null, \"This triage step helps determine whether the report is understandable, relevant, in scope, sufficiently documented, and technically credible. It also helps filter incomplete reports, duplicates, irrelevant findings, spam, and non-security submissions.\"), mdx(\"p\", null, \"This is one of the strongest benefits for customers. Internal security and engineering teams should not spend their time processing noise. They should receive validated, actionable findings with enough technical context to decide what happens next.\"), mdx(\"ol\", {\n    \"start\": 3\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Risk and impact assessment: Hackrate assesses the potential severity and impact of validated vulnerability reports.\")), mdx(\"p\", null, \"This assessment may consider confidentiality, integrity, availability, exploitability, attack complexity, likelihood of exploitation, affected product context, and recommended prioritization. The objective is to help the customer understand whether the issue requires routine remediation, urgent attention, or internal escalation for CRA-related assessment.\"), mdx(\"p\", null, \"Hackrate does not make the customer\\u2019s legal or regulatory reporting decision. That remains the responsibility of the manufacturer. Hackrate provides the technical input and documentation that legal, compliance, security, product, and management teams need to make that decision.\"), mdx(\"ol\", {\n    \"start\": 4\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Communication with external reporters: Hackrate manages communication with the external reporter during the validation process. This improves the quality and professionalism of the disclosure experience. Researchers receive structured communication (instead of silence or unclear responses). The customer receives clarification where needed.\")), mdx(\"p\", null, \"Good communication also reduces disclosure risk. Many public conflicts between researchers and companies start because the reporting process is unclear or slow.\"), mdx(\"ol\", {\n    \"start\": 5\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Remediation-oriented technical input: Hackrate provides practical technical input to support remediation or mitigation.\")), mdx(\"p\", null, \"This may include general remediation direction, possible mitigation options, configuration or implementation considerations, prioritization guidance, and security improvement suggestions.\"), mdx(\"p\", null, \"The purpose is not to replace the customer\\u2019s engineering team. The purpose is to give that team better technical context so it can act faster.\"), mdx(\"ol\", {\n    \"start\": 6\n  }, mdx(\"li\", {\n    parentName: \"ol\"\n  }, \"Traceable vulnerability management: The Hackrate Ethical Hacking Platform provides a central environment for vulnerability reporting and handling. This supports traceability across report intake, validation, communication, assessment, remediation input and closure.\")), mdx(\"p\", null, \"This is important because the compliance team needs evidence that the organization has a repeatable process, the security team needs visibility into report status, the engineering team needs actionable findings, and management needs confidence that serious issues are escalated appropriately. Our platform-based workflow helps align those needs.\"), mdx(\"h2\", {\n    \"id\": \"where-cve-support-fits\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#where-cve-support-fits\",\n    \"aria-label\": \"where cve support fits permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Where CVE support fits\"), mdx(\"p\", null, \"CVE support is not the main purpose of a CRA-ready VDP, but it can be valuable when the customer needs it. Hackrate is a CVE Numbering Authority. When a vulnerability is eligible, when a CVE record is useful, and when the customer requests and approves it, Hackrate can support CVE record creation and disclosure alignment.\"), mdx(\"h2\", {\n    \"id\": \"what-customers-gain-from-hackrate-managed-vdp\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-customers-gain-from-hackrate-managed-vdp\",\n    \"aria-label\": \"what customers gain from hackrate managed vdp permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What customers gain from Hackrate managed VDP\"), mdx(\"p\", null, \"The CRA makes vulnerability handling a product security and compliance requirement. Manufacturers need a reliable way to receive external vulnerability reports, validate them, assess their impact, support remediation, document the process, and escalate serious vulnerability reports on time.\"), mdx(\"p\", null, \"Hackrate managed VDP gives organizations a practical way to build that capability. It combines a structured reporting channel, expert triage, researcher communication, technical assessment, remediation-oriented input, traceable vulnerability report management, onboarding support, and optional CVE coordination when requested and approved by the customer.\"), mdx(\"p\", null, \"For companies preparing for CRA obligations, the value is straightforward: Hackrate helps turn vulnerability disclosure into a controlled, auditable, and expert-supported process.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP/","timeToRead":"7 min read","date":"May 15, 2026","dateString":"May 15, 2026","datePublishedSeoFormat":"2026-05-15","title":"CRA-ready vulnerability disclosure with Hackrate managed VDP","excerpt":"This article looks at how organizations can start preparing their vulnerability disclosure handling for the Cyber Resilience Act, and how Hackrate managed VDP can support that work. It may be useful for teams that want a clearer, more structured way to manage external vulnerability reports.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACw0lEQVQozzWSS2sbZxhG9UsCXYYUUkKySCktFLoolGQTCoViCm2jpHVdW9aMZkYeSSPbulkXj+RYsiP5mksJodsu4siyZY1GGo3k1CGUErLOIulfOHmlpIvDtzs83/s8geTsIZaQ+L1JYlaYE+YPSUZaWMYRidgx8WSbWOoEM9dhoegQtbsYd1z0mlDvoW33Ufc9lAcDAsuhFpXFLtu2z2bBY6ssb3FAUhGh/kFoHWMun7CQ7RAtdDBWHfQ1F63qErnroopQ2fMI3/cIJGcOWZprkVaOyOltMtoxGV0koUNMtcWC3iJqHmEkj9FTbYx8B10SahVBEmoNkW19EI4TJqebVKwu1VSPrMjKkrZkOeTiHeyVHqWCUPawaz7FDV8SOmglB6PWF2GfkHxduzdE2f9f+GuTzUyfRn7A3RWPnfKQRslnXb5fr47Yajxje/eMjZ1nNB4+J1310Msu04kmX35d4fJni3z78yPC+z7zE+EvTepZbyLdHL85j6pQrwzZqPisZF3stQEFwa6PSNcGhFe6XP08z4WrKpe+inHhosJU5C/Ux6dj4VPWEl02Un22CgN27SH2ojsRFjLSorRtmHI/q426dIKedwhJQZc+1bg2VWJq5g+ufKHwzQ97RP48I5AIykyCByRuPcWStJbcNC5FmZNSjoiZbcyENLwk7aY7aDlpuNznxncNPjp/m3Mf3+LiJ1F+yrQIPxqK8KYIbh4QDz4R6RNitw+ISmpDdqnLHiPStCp7VOLjlt8LtVWXcNHlxo+Puf79NsHllmxwyOy98Q2DLdb1f9g0X7Ku/cte5hVn/Tc8999O+Nt7w4vT/+g6rzFSDhERRopd1EpPRu2j745kMj6hHY+5+z4BSxJmph2yMy7p37rkwi7VrLScF0oj1mzhzimr6yM0Eao5kUk6xXaZl3GHaj1CdY/Q7kAS+rwDLHpiGc6456MAAAAASUVORK5CYII=","aspectRatio":1.7902097902097902,"src":"/static/e5459b99a1ca01c9ae56fae1edb98298/14ee0/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png","srcSet":"/static/e5459b99a1ca01c9ae56fae1edb98298/6ba37/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png 512w,\n/static/e5459b99a1ca01c9ae56fae1edb98298/4e530/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png 1024w,\n/static/e5459b99a1ca01c9ae56fae1edb98298/14ee0/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.png 1542w","srcWebp":"/static/e5459b99a1ca01c9ae56fae1edb98298/fbb14/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.webp","srcSetWebp":"/static/e5459b99a1ca01c9ae56fae1edb98298/e4e36/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.webp 512w,\n/static/e5459b99a1ca01c9ae56fae1edb98298/e0f73/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.webp 1024w,\n/static/e5459b99a1ca01c9ae56fae1edb98298/fbb14/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP.webp 1542w","sizes":"(max-width: 1542px) 100vw, 1542px"}},"commentId":"/blog/CRA--ready-vulnerability-disclosure-with-Hackrate-managed-VDP/","tableOfContents":{"items":[{"url":"#why-vulnerability-disclosure-matters-under-the-cra","title":"Why vulnerability disclosure matters under the CRA"},{"url":"#the-operational-problem-companies-need-to-solve","title":"The operational problem companies need to solve"},{"url":"#what-a-cra-ready-vulnerability-disclosure-process-should-do","title":"What a CRA-ready vulnerability disclosure process should do"},{"url":"#how-hackrate-managed-vdp-helps","title":"How Hackrate managed VDP helps"},{"url":"#where-cve-support-fits","title":"Where CVE support fits"},{"url":"#what-customers-gain-from-hackrate-managed-vdp","title":"What customers gain from Hackrate managed VDP"}]},"lastModifiedTime":"2026-05-15T09:00:00.000Z","lastModifiedTimeString":"May 15, 2026"},{"id":"dcbfe952-f30c-57b1-80b8-337571d2160d","author":"Samuele Gugliotta","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"thisclosed_#3\",\n  \"description\": \"Arbitrary File Upload via External Files Feature Allows Client-Side Remote Code Execution\",\n  \"author\": \"Samuele Gugliotta\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-04-14T16:00:00.000Z\",\n  \"image\": \"/img/blog/thisclosed-3-cover.png\",\n  \"draft\": false,\n  \"tags\": [\"bug-bounty\", \"security-testing\", \"ethical-hacking\", \"writeup\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"h2\", {\n    \"id\": \"summary\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#summary\",\n    \"aria-label\": \"summary permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Summary\"), mdx(\"p\", null, \"During an assessment of a web-based platform (hereinafter referred to as \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"[REDACTED]\"), \"), I identified a critical vulnerability in the file upload mechanism exposed through the \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"External Files\"), \" feature within the project dashboard. This feature is designed to allow authenticated users to import supplementary documentation, such as \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".txt\"), \" and \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".md\"), \" files, to enrich project requirements.\"), mdx(\"p\", null, \"The user interface explicitly enforces the following constraints:\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"Allowed: .txt, .md files only \\xB7 Max 5 files \\xB7 Max 10KB per file\")), mdx(\"p\", null, \"However, these restrictions exist solely on the client side. The backend performs no validation whatsoever on the file extension, MIME type, or content body. By intercepting the upload request and manipulating the relevant fields, an attacker can submit arbitrary file types, including formats capable of executing code on the client\\u2019s machine upon download and execution. This class of vulnerability is formally catalogued as \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://cwe.mitre.org/data/definitions/434.html\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"CWE-434: Unrestricted Upload of File with Dangerous Type\"), \".\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://cwe.mitre.org/data/images/CWE-434-Diagram.png\",\n    \"alt\": \"CWE-434 Diagram\"\n  })), mdx(\"p\", null, \"To demonstrate the severity of this flaw, I crafted and uploaded a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" file containing an ActiveX-based payload. When downloaded and opened on a Windows system, the file was processed by \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \", launching \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"calc.exe\"), \" as a benign proof of execution. Additional executable formats, including \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".html\"), \" and \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".exe\"), \", were also tested and accepted without restriction.\"), mdx(\"h2\", {\n    \"id\": \"technical-analysis\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#technical-analysis\",\n    \"aria-label\": \"technical analysis permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Technical Analysis\"), mdx(\"h3\", {\n    \"id\": \"upload-mechanism-and-client-side-only-validation-gap\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#upload-mechanism-and-client-side-only-validation-gap\",\n    \"aria-label\": \"upload mechanism and client side only validation gap permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Upload mechanism and client-side-only validation gap\"), mdx(\"p\", null, \"The \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"External Files\"), \" section resides within the project dashboard and serves as a repository for supplementary project documentation. File uploads are dispatched via a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"POST\"), \" request to the following endpoint:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\"\n  }, \"/api/app/uiengine/odata/[REDACTED]/modules/projectDashboard/pages/components/InputsTab/ExternalTools/$batch\\n\")), mdx(\"p\", null, \"The request body is a JSON structure containing file metadata and content:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-json\"\n  }, \"{\\n  \\\"requests\\\": [\\n    {\\n      \\\"method\\\": \\\"POST\\\",\\n      \\\"body\\\": {\\n        \\\"projectId\\\": [REDACTED],\\n        \\\"fileName\\\": \\\"sample.txt\\\",\\n        \\\"fileType\\\": \\\"text/plain\\\",\\n        \\\"uploadData\\\": {\\n          \\\"content\\\": \\\"Lorem Ipsum.\\\",\\n          \\\"uploadDate\\\": \\\"2025-07-15T22:58:51.555Z\\\"\\n        }\\n      },\\n      \\\"id\\\": \\\"86\\\",\\n      \\\"atomicityGroup\\\": \\\"86\\\",\\n      \\\"url\\\": \\\"[REDACTED]\\\"\\n    }\\n  ]\\n}\\n\")), mdx(\"p\", null, \"Three fields govern the upload behavior:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"strong\"\n  }, \"fileName\")), \": determines the displayed name and file extension.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"strong\"\n  }, \"fileType\")), \": declares the MIME type.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, mdx(\"inlineCode\", {\n    parentName: \"strong\"\n  }, \"uploadData.content\")), \": carries the full file content as a string.\")), mdx(\"p\", null, \"None of these fields undergo server-side sanitization or validation. The backend accepts whatever the client provides, persists the file, and surfaces it in the UI as a downloadable asset. No questions asked.\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://media0.giphy.com/media/v1.Y2lkPTc5MGI3NjExM2Z4eThsNWZ0bHgwcWp0Y2ZmNTUxY3I3NWoybnAxeWQ2aGwzZXhkcyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/CiZ9e5IUPqeVFzc8Mp/giphy.gif\",\n    \"alt\": null\n  })), mdx(\"p\", null, \"This is a textbook instance of misplaced trust in client-side controls. The restrictions visible in the UI (file type allowlist, size cap, file count limit) are enforced entirely within the browser\\u2019s JavaScript context. Any user with a web proxy, or even the browser\\u2019s built-in developer tools, can bypass these constraints trivially. Client-side validation serves a legitimate purpose as a usability layer: it provides immediate feedback and prevents accidental misuse. But it must never be the sole enforcement mechanism for security-relevant constraints. Without a corresponding server-side allowlist that independently verifies the file extension, inspects the MIME type, and ideally validates the content\\u2019s magic bytes against expected signatures, the upload endpoint is functionally unrestricted.\"), mdx(\"h3\", {\n    \"id\": \"exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload\",\n    \"aria-label\": \"exploiting the lack of server side validation to weaponize a hta payload permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Exploiting the lack of server-side validation to weaponize a \", mdx(\"inlineCode\", {\n    parentName: \"h3\"\n  }, \".hta\"), \" payload\"), mdx(\"p\", null, \"The exploitation is, frankly, trivial. By intercepting a legitimate \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".txt\"), \" upload with a web proxy, the attacker gains full control over the JSON payload before it reaches the server. Replacing \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"fileName\"), \" with \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"payload.hta\"), \", \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"fileType\"), \" with \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"application/hta\"), \", and injecting executable HTA markup into \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"uploadData.content\"), \" is all it takes:\"), mdx(\"pre\", null, mdx(\"code\", {\n    parentName: \"pre\",\n    \"className\": \"language-json\"\n  }, \"{\\n  \\\"requests\\\": [\\n    {\\n      \\\"method\\\": \\\"POST\\\",\\n      \\\"body\\\": {\\n        \\\"projectId\\\": [REDACTED],\\n        \\\"fileName\\\": \\\"payload.hta\\\",\\n        \\\"fileType\\\": \\\"application/hta\\\",\\n        \\\"uploadData\\\": {\\n          \\\"content\\\": \\\"<html><head><script>var shell = new ActiveXObject(\\\\\\\"WScript.Shell\\\\\\\");shell.Run(\\\\\\\"calc.exe\\\\\\\");</script></head><body></body></html>\\\",\\n          \\\"uploadDate\\\": \\\"2025-07-15T22:58:51.555Z\\\"\\n        }\\n      },\\n      \\\"id\\\": \\\"86\\\",\\n      \\\"atomicityGroup\\\": \\\"86\\\",\\n      \\\"url\\\": \\\"[REDACTED]\\\"\\n    }\\n  ]\\n}\\n\")), mdx(\"p\", null, \"The upload succeeds. The weaponized \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" file appears in the UI alongside legitimate documents, available for download, waiting for a user to open it.\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://media0.giphy.com/media/v1.Y2lkPTc5MGI3NjExZHI5Z3IxZTVrdTRic2NnbjRuNTczaHVrdzBjdm8weTVyOWRxbXR4ZyZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/KF1qNYHUi8wwTNIUUm/giphy.gif\",\n    \"alt\": null\n  })), mdx(\"h3\", {\n    \"id\": \"why-did-i-choose-hta-for-the-poc-here-is-the-rationale\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#why-did-i-choose-hta-for-the-poc-here-is-the-rationale\",\n    \"aria-label\": \"why did i choose hta for the poc here is the rationale permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why did I choose \", mdx(\"inlineCode\", {\n    parentName: \"h3\"\n  }, \".hta\"), \" for the PoC? Here is the rationale\"), mdx(\"p\", null, mdx(\"img\", {\n    parentName: \"p\",\n    \"src\": \"https://imgur.com/SobZxvf.jpeg\",\n    \"alt\": null\n  })), mdx(\"p\", null, \"I chose the \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" (HTML Application) format deliberately because of its unique execution model on Windows systems. An HTA file is structurally identical to an HTML document, but it operates under an entirely different trust model. When a user opens an \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" file, Windows delegates execution to \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \" (Microsoft HTML Application Host), a signed, native binary located at \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"C:\\\\Windows\\\\System32\\\\mshta.exe\"), \". Unlike a standard \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".html\"), \" file rendered within a browser\\u2019s sandboxed environment, an HTA executes as a standalone application outside the browser\\u2019s security context. This means it is not subject to Internet Explorer zone restrictions, Protected Mode limitations, or any of the sandboxing controls that browsers impose on web-delivered scripts.\"), mdx(\"p\", null, \"Consequently, scripts embedded in an HTA file run with the full privileges of the current user. They can instantiate COM/ActiveX objects, interact with the Windows Script Host, read and write to the file system, modify the registry, and spawn arbitrary processes. In my proof of concept, the payload leveraged this capability to instantiate a \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"WScript.Shell\"), \" ActiveX object and invoke \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"calc.exe\"), \", a standard and benign demonstration of arbitrary command execution.\"), mdx(\"p\", null, \"From an offensive security perspective, \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \" is classified as a \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://lolbas-project.github.io/lolbas/Binaries/Mshta/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"Living off the Land Binary (LOLBin)\"), \", a category of legitimate, vendor-signed system utilities that attackers routinely co-opt to proxy the execution of malicious code. Because \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"mshta.exe\"), \" is a trusted Microsoft binary that ships with every Windows installation, its execution blends seamlessly into normal system activity and is far less likely to trigger behavioral heuristics in endpoint detection products. It has its own dedicated entry in the MITRE ATT&CK framework under technique \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://attack.mitre.org/techniques/T1218/005/\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"T1218.005 (System Binary Proxy Execution: Mshta)\"), \", and it is actively leveraged by numerous threat actors and malware families in real-world campaigns.\"), mdx(\"p\", null, \"Simple as that.\"), mdx(\"h2\", {\n    \"id\": \"impact\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#impact\",\n    \"aria-label\": \"impact permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Impact\"), mdx(\"p\", null, \"While client-side RCE via \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \".hta\"), \" serves as the most tangible demonstration of this vulnerability, the underlying risk is systemic. The upload mechanism imposes no server-side restrictions on what enters the platform, which means the \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"External Files\"), \" feature is, in practice, an unrestricted file distribution channel embedded within a trusted interface.\"), mdx(\"p\", null, \"This has two immediate consequences. First, any authenticated user can leverage the feature to deliver executable or otherwise harmful content to anyone who downloads from the same project. Second, in collaborative or multi-user environments, an attacker does not need to phish, redirect, or socially engineer a target through external channels. The payload is already inside the platform, sitting in a shared workspace, served by the application itself.\"), mdx(\"hr\", null), mdx(\"h2\", {\n    \"id\": \"acknowledgements\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#acknowledgements\",\n    \"aria-label\": \"acknowledgements permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Acknowledgements\"), mdx(\"p\", null, \"I would like to thank the Hackrate team for their consistently swift and efficient triage throughout this engagement, and the client\\u2019s security team for their responsiveness in addressing the reported issue. This finding was part of a private bug bounty program on Hackrate that overall resulted in a \\u20AC\\u20AC\\u20AC\\u20AC bounty payout.\"), mdx(\"p\", null, mdx(\"em\", {\n    parentName: \"p\"\n  }, \"venomnis\")));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/thisclosed_3/","timeToRead":"6 min read","date":"April 14, 2026","dateString":"April 14, 2026","datePublishedSeoFormat":"2026-04-14","title":"thisclosed_#3","excerpt":"Arbitrary File Upload via External Files Feature Allows Client-Side Remote Code Execution","tags":["bug-bounty","security-testing","ethical-hacking","writeup"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAIAAADwazoUAAAACXBIWXMAABYlAAAWJQFJUiTwAAACDUlEQVQoz12P3W/SUBjGz7/lhRoo6kTHVzvKMC5sINsoFJhLdJSPReMuR3bjzZgxRt12o4mYGC/GWGCTfXhjQkICYS1N5wAbSrdlCwPqa6vJsHnynF/PeZ/3nBfdIcMGIogR9K2RoIGgVf39xXAaTv8T7OttlMbotj1EPoo9pJ7hbsYxGSe98RFP1DmVINzMeHDB6JyFgivhGeiut/k1RtDJHVoIRZcCkWRgbpFmkk+evwR30S/C8aW7zseD4bDOSkEeAMMDCBaraw5uAwHYvTG40zYewSci4MQEMzT4bAz3Q0wdlkbQ2+J6SsKDJxOEJzo6nXBMJezweG8MAGYZGp2BGqOmB7Pq2DSMA0I6C4VZ/DqTT2+iMDMFoLJPb6ZU9xmsgZtm6obZp+m6afqa0QMOjJJvPjKptVhqLbK8Ch5VGTyRWo+n1udX/mj5ffr16udX/5R6+2nlXRoAbf46JvZzjoM8uZ8DjX3fcRzkhgtZ2LTubd0rZIG3xIaiKL1+Xxn8UPb4yJjbGM5nLNsZUz5zP7+B72x+4NmvAv9FqKV5Nn3E/5AlNaxcjfd6PVSX29uH1d0a+63G7fFcocbucuypLMOxVnnSbv/keY7jBEEol8uVSqVUKhWLxWaziToXF6et1pnUPpdPzmUZdCZJLUnqXF52ut1uv98UxUOWhWS9Xm80GgDVahVaiKL4G1vOd16sYEdlAAAAAElFTkSuQmCC","aspectRatio":1.7777777777777777,"src":"/static/c788c5bd9803c97cfd624ec66ee322f6/0e6e2/thisclosed-3-cover.png","srcSet":"/static/c788c5bd9803c97cfd624ec66ee322f6/6ba37/thisclosed-3-cover.png 512w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/4e530/thisclosed-3-cover.png 1024w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/0e6e2/thisclosed-3-cover.png 1920w","srcWebp":"/static/c788c5bd9803c97cfd624ec66ee322f6/30cf3/thisclosed-3-cover.webp","srcSetWebp":"/static/c788c5bd9803c97cfd624ec66ee322f6/e4e36/thisclosed-3-cover.webp 512w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/e0f73/thisclosed-3-cover.webp 1024w,\n/static/c788c5bd9803c97cfd624ec66ee322f6/30cf3/thisclosed-3-cover.webp 1920w","sizes":"(max-width: 1920px) 100vw, 1920px"}},"commentId":"/blog/thisclosed_3/","tableOfContents":{"items":[{"url":"#summary","title":"Summary"},{"url":"#technical-analysis","title":"Technical Analysis","items":[{"url":"#upload-mechanism-and-client-side-only-validation-gap","title":"Upload mechanism and client-side-only validation gap"},{"url":"#exploiting-the-lack-of-server-side-validation-to-weaponize-a-hta-payload","title":"Exploiting the lack of server-side validation to weaponize a .hta payload"},{"url":"#why-did-i-choose-hta-for-the-poc-here-is-the-rationale","title":"Why did I choose .hta for the PoC? Here is the rationale"}]},{"url":"#impact","title":"Impact"},{"url":"#acknowledgements","title":"Acknowledgements"}]},"lastModifiedTime":"2026-04-14T16:00:00.000Z","lastModifiedTimeString":"April 14, 2026"},{"id":"af9be85a-bfb6-57fa-957c-10d3c131ae59","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement\",\n  \"description\": \"ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-01-26T09:00:00.000Z\",\n  \"image\": \"/img/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png\",\n  \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"ENISA\\u2019s NIS2 technical implementation guidance treats vulnerability handling and disclosure as a distinct control area (6.10), separate from security testing (6.5) and security patch management (6.6). The practical implication is that organizations should be able to evidence an end to end vulnerability handling process that includes external intake, internal triage, remediation linkage, and disclosure handling aligned to applicable national coordinated vulnerability disclosure policy.\"), mdx(\"p\", null, \"A vulnerability disclosure policy (VDP) is not sufficient on its own. What matters is a VDP backed by an operating workflow with records that demonstrate 6.10 is implemented.\"), mdx(\"h2\", {\n    \"id\": \"what-enisa-separates-in-practice\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-enisa-separates-in-practice\",\n    \"aria-label\": \"what enisa separates in practice permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What ENISA separates in practice\"), mdx(\"p\", null, \"For implementation purposes, three activities that are often blended in day to day security operations should be evidenced distinctly:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Security testing (6.5):\"), \" planned assessments with defined scope, methodology and reporting.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Security patch management (6.6):\"), \" remediation planning, patch deployment and operational confirmation of fixes.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Vulnerability handling and disclosure (6.10):\"), \" obtaining vulnerability information, assessing exposure, addressing critical vulnerabilities without undue delay, integrating handling with other management processes and maintaining a disclosure procedure aligned to coordinated vulnerability disclosure policy.\")), mdx(\"p\", null, \"The key point is not organizational structure. It is evidence. Assessors will look for control specific artefacts and records that demonstrate 6.10 is implemented, repeatable and used.\"), mdx(\"h2\", {\n    \"id\": \"minimum-viable-vdp-that-can-be-evidenced\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#minimum-viable-vdp-that-can-be-evidenced\",\n    \"aria-label\": \"minimum viable vdp that can be evidenced permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Minimum viable VDP that can be evidenced\"), mdx(\"p\", null, \"A VDP that stands up to scrutiny is a policy plus a workflow plus records. At minimum, the policy should define reporting channels, scope and safe harbor, triage targets, severity assessment, remediation and disclosure handling.\"), mdx(\"h3\", {\n    \"id\": \"public-reporting-channels\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#public-reporting-channels\",\n    \"aria-label\": \"public reporting channels permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Public reporting channels\"), mdx(\"p\", null, \"Provide a dedicated security contact and a stable reporting mechanism that remains valid over time. Make the reporting channel discoverable from the organization\\u2019s domain, commonly via \", mdx(\"inlineCode\", {\n    parentName: \"p\"\n  }, \"/.well-known/security.txt\"), \", and offer an option for encrypted communication, such as a published PGP key.\"), mdx(\"h3\", {\n    \"id\": \"scope-and-safe-harbor\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#scope-and-safe-harbor\",\n    \"aria-label\": \"scope and safe harbor permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Scope and safe harbor\"), mdx(\"p\", null, \"Define which systems are in scope, which are excluded, and what testing behavior is allowed. State prohibited activities explicitly, including denial of service, social engineering, and physical intrusion. Include a good faith safe harbor statement.\"), mdx(\"h3\", {\n    \"id\": \"triage-and-response-targets\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#triage-and-response-targets\",\n    \"aria-label\": \"triage and response targets permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Triage and response targets\"), mdx(\"p\", null, \"Define measurable targets that you can meet and audit. For example, acknowledge receipt within 2 business days, provide an initial triage outcome within 7 business days, and define remediation targets by severity.\"), mdx(\"h3\", {\n    \"id\": \"severity-and-prioritization-method\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#severity-and-prioritization-method\",\n    \"aria-label\": \"severity and prioritization method permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Severity and prioritization method\"), mdx(\"p\", null, \"Use a consistent scoring approach (such as CVSS v3.1 or v4.0), and document what inputs drive the score in your environment.\"), mdx(\"h3\", {\n    \"id\": \"remediation-linkage-and-verification\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h3\",\n    \"href\": \"#remediation-linkage-and-verification\",\n    \"aria-label\": \"remediation linkage and verification permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Remediation linkage and verification\"), mdx(\"p\", null, \"Every accepted report should map to an internal tracking ticket with an accountable owner, fix target and status. Closure should require verification evidence, such as retest notes, fixed version identifiers, and deployment confirmation, not only a developer comment stating \\u201Cresolved.\\u201D If a report is closed as \\u201Cwon\\u2019t fix,\\u201D require a recorded rationale and approval.\"), mdx(\"h2\", {\n    \"id\": \"workflow-design-that-prevents-predictable-failure-modes\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#workflow-design-that-prevents-predictable-failure-modes\",\n    \"aria-label\": \"workflow design that prevents predictable failure modes permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Workflow design that prevents predictable failure modes\"), mdx(\"p\", null, \"A disclosure workflow fails in repeatable ways. A workable design reduces noise, enforces reproducibility, assigns accountable ownership, and produces evidence that can survive assessment.\"), mdx(\"p\", null, \"Filtering should remove reports that cannot be actioned. Define reject criteria for out of scope targets, missing reproduction steps, unclear impact, and non actionable scanner output. Deduplication should be based on root cause and exploit path, not URL variations, and should preserve credit attribution when multiple reporters converge on the same issue.\"), mdx(\"p\", null, \"Route every accepted report through a tracked system, not email forwarding. Require structured fields that allow audits and reporting, including asset and environment, severity and rationale, accountable owner, due date, fix version, deployment evidence, and a disclosure status log. Avoid \\u201Cshared inbox only\\u201D ownership models, because they produce gaps when staffing changes and make SLAs non verifiable.\"), mdx(\"h2\", {\n    \"id\": \"self-managed-vdp-risks-and-controls\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#self-managed-vdp-risks-and-controls\",\n    \"aria-label\": \"self managed vdp risks and controls permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Self managed VDP risks and controls\"), mdx(\"p\", null, \"A self managed VDP can work, but only if it is resourced, measurable and enforced. Common failure modes and controls include:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"High noise volume:\"), \" enforce submission requirements, reject non reproducible reports, and implement deduplication based on root cause.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Inconsistent triage decisions:\"), \" publish acceptance criteria and apply a standard reproduction and severity checklist.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Misrouting and delays:\"), \" require a single owned intake channel, tracked case management, and named owners.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Communication gaps:\"), \" use templated acknowledgements, scheduled status updates and defined escalation triggers.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, mdx(\"strong\", {\n    parentName: \"li\"\n  }, \"Evidence gaps:\"), \" retain timestamps, decisions, remediation linkage, and verification artefacts so cases can be reconstructed during assessment.\")), mdx(\"h2\", {\n    \"id\": \"when-hackrate-managed-vdp-is-justified\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#when-hackrate-managed-vdp-is-justified\",\n    \"aria-label\": \"when hackrate managed vdp is justified permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"When Hackrate managed VDP is justified\"), mdx(\"p\", null, \"For many organizations, the hardest part of 6.10 is not writing a policy. It is operating the intake and triage loop reliably at volume with complete records.\"), mdx(\"p\", null, \"Hackrate provides the Hackrate Ethical Hacking platform to manage vulnerability submissions through a structured intake channel with case tracking and an auditable record of actions and communications. We help validate reported issues, including reproduction and impact clarification, so your internal teams receive actionable findings rather than unfiltered inbox traffic. We also handle communication with ethical hackers, including acknowledgements, clarification requests, and status updates, so timelines remain predictable and interactions remain consistent.\"), mdx(\"p\", null, \"Hackrate also provides the legal and operational documents required to run a VDP, so teams do not need to draft them from scratch. This includes VDP policy language, scope and safe harbor terms, disclosure rules, and program terms that can be adapted to your environment.\"), mdx(\"p\", null, \"In this model, your organization retains decision rights for risk acceptance, remediation prioritization, and deployment approval. Hackrate focuses on managed intake, validation support, and communications, plus a complete evidence trail that connects submissions to triage outcomes and remediation status.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement/","timeToRead":"5 min read","date":"January 26, 2026","dateString":"January 26, 2026","datePublishedSeoFormat":"2026-01-26","title":"ENISA NIS2 mapping makes vulnerability handling and disclosure a standalone requirement","excerpt":"ENISA’s NIS2 technical implementation guidance treats vulnerability handling and disclosure (control 6.10) as a standalone requirement. This article explains what an assessor-grade vulnerability disclosure policy looks like in practice.","tags":["security-testing","ethical-hacking","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAACxklEQVQoz0WSS28bVRiG8wv4AWwRICSQumSBQIIdYtMlVGxQBSi0ufg+9ow9nrh2HN9iO77Vdu4lagLqAiQuIp44cTye8Yzjhl4oO1T4HQ9fHAkWj863OHr0nfO+cynfCSvLJsnlHkmf4Jc5YJJS+qTUUwz9jGRqgJ4ZkMidkygNiVdHaPUR6n2bWNchujNG2XeJHHjMGYsmRe2cZtahvmpTE5r5MSuhE/SIoPVJ6KdoqTPU1QGx/DnR9SFK1SLSGBFu24Q2HYIiDTwYi3DBJO3vk48NWNeH1xhDdJ+JFjRRlRPUeJ+ocYqSPiOcHRAunqNsWITqFsGWhb8zIrgrwm9d5vRvepQTFlXDYj0xpKANKMtcWrEopkcU8zb5os1a2WG16pBve2S7HkrNQtuckNx/ivHwCcE9F//Vhsn5HvWUzVZpwmbRo1Nw2atPaZVcWhWPna1LNoX2ziXl9oTu4RNqB5dEKmNufvED793c4NPwEeruhMDVH+pfH1OVDdtrLt2CN6Mj4kbepVpwaLcuuN+ZzoTN3Usq21OMpsNixuGNd+a58XGYNz+8w+3Uj0S++12EXx1TN2za2THNtENLzrpcrmRsGmWXRm1CQ6StrcdUu1PUgoQhSS+tOrz21mfc+OAWr797i8/VR/8Lq3GL7eKETtalk7vesF320JVT4uoZmj5AlepE0xJG7koogVQc3v9kl1devc3bH2VY2LDxzZ785THG/DHppR73FnukBO1Oj+jdHiGZg9LLgNTHF+sTuSfCtaGkbBGWLoYbFyzlplKdxwT2PJali3NJEZb8F9Qiz6gEn1JTnvHbo7/o//SSk59fYv4i/Po3pvkP8eyIUPZaGCqPCNSkLh0bv/TQt+2K0LsWZu+OyC14rC245H0eD7vP+X7/D44evODoQDj8k4PDF8Qy1kwYkn8MzoQik4B8nfF/wn8BilxpnoBigEQAAAAASUVORK5CYII=","aspectRatio":1.78397212543554,"src":"/static/0412079155af02d8915db4717f60957e/43a2d/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png","srcSet":"/static/0412079155af02d8915db4717f60957e/6ba37/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 512w,\n/static/0412079155af02d8915db4717f60957e/4e530/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 1024w,\n/static/0412079155af02d8915db4717f60957e/43a2d/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 2048w,\n/static/0412079155af02d8915db4717f60957e/0b1d6/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.png 2768w","srcWebp":"/static/0412079155af02d8915db4717f60957e/ceab5/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp","srcSetWebp":"/static/0412079155af02d8915db4717f60957e/e4e36/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 512w,\n/static/0412079155af02d8915db4717f60957e/e0f73/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 1024w,\n/static/0412079155af02d8915db4717f60957e/ceab5/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 2048w,\n/static/0412079155af02d8915db4717f60957e/ab56b/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement.webp 2768w","sizes":"(max-width: 2048px) 100vw, 2048px"}},"commentId":"/blog/ENISA-NIS2-mapping-makes-vulnerability-handling-and-disclosure-a-standalone-requirement/","tableOfContents":{"items":[{"url":"#what-enisa-separates-in-practice","title":"What ENISA separates in practice"},{"url":"#minimum-viable-vdp-that-can-be-evidenced","title":"Minimum viable VDP that can be evidenced","items":[{"url":"#public-reporting-channels","title":"Public reporting channels"},{"url":"#scope-and-safe-harbor","title":"Scope and safe harbor"},{"url":"#triage-and-response-targets","title":"Triage and response targets"},{"url":"#severity-and-prioritization-method","title":"Severity and prioritization method"},{"url":"#remediation-linkage-and-verification","title":"Remediation linkage and verification"}]},{"url":"#workflow-design-that-prevents-predictable-failure-modes","title":"Workflow design that prevents predictable failure modes"},{"url":"#self-managed-vdp-risks-and-controls","title":"Self managed VDP risks and controls"},{"url":"#when-hackrate-managed-vdp-is-justified","title":"When Hackrate managed VDP is justified"}]},"lastModifiedTime":"2026-01-26T09:00:00.000Z","lastModifiedTimeString":"January 26, 2026"},{"id":"ec08dabc-c4c2-5667-a9ea-4ae6767e006d","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"Let 2026 be the year bug bounty becomes part of how you build and operate\",\n  \"description\": \"This article explains why 2026 is the right time to make bug bounty a practical, continuous security feedback loop and how Hackrate can help you launch it with confidence.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-01-05T09:00:00.000Z\",\n  \"image\": \"/img/blog/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png\",\n  \"tags\": [\"hackrate\", \"ethical-hacking\", \"security-testing\", \"news\", \"getting-started\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"Many organizations still treat offensive testing as a scheduled engagement, while their applications change monthly or even more frequently. Bug bounty is a practical way to keep security testing aligned with continuous change.\"), mdx(\"p\", null, \"A traditional \\u201Csecurity audit\\u201D model is still common: fixed scope, fixed timeline, and a report that starts aging as soon as the next release ships. That model can be useful, but it does not match how modern teams build and deploy.\"), mdx(\"p\", null, \"The problem is not that pentesting is bad. The problem is timing. If your development model is continuous, periodic testing quickly becomes a snapshot of a system that no longer exists.\"), mdx(\"p\", null, \"Bug bounty works well here because it is not a one-time assessment. It is continuous feedback from people who spend their time trying to break real systems as they change.\"), mdx(\"h2\", {\n    \"id\": \"why-periodic-pentests-often-miss-what-matters\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-periodic-pentests-often-miss-what-matters\",\n    \"aria-label\": \"why periodic pentests often miss what matters permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why periodic pentests often miss what matters\"), mdx(\"p\", null, \"Pentests are valuable for baseline coverage, assurance, and structured validation. But a time-boxed engagement has limits by design: constrained time, constrained scope, and a limited set of perspectives.\"), mdx(\"p\", null, \"Over multiple years, repeated testing against the same application can converge toward familiar paths and familiar findings. That is not a criticism of testers. It is what happens when the same constraints repeat.\"), mdx(\"p\", null, \"Meanwhile, the issues that hurt most in modern web applications are often not exotic. They are the messy ones: authorization mistakes, workflow abuse, subtle authentication edge cases, integration assumptions, and regressions introduced during refactors.\"), mdx(\"p\", null, \"Bug bounty adds something that is difficult to replicate in any other format: \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"diversity of thinking at scale\"), \". Different researchers approach the same target with different instincts, tooling, and threat models. That variety is where the surprising reports come from.\"), mdx(\"h2\", {\n    \"id\": \"continuous-development-needs-security-that-stays-on\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#continuous-development-needs-security-that-stays-on\",\n    \"aria-label\": \"continuous development needs security that stays on permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Continuous development needs security that stays on\"), mdx(\"p\", null, \"If you release weekly, a snapshot assessment from January is rarely a good description of what you are running by March.\"), mdx(\"p\", null, \"New endpoints appear. Permissions change. Features roll out behind flags. Even strong internal controls cannot prevent every regression. The goal is not perfection. The goal is fast discovery and fast learning.\"), mdx(\"p\", null, \"Bug bounty supports that goal because it runs continuously. It often becomes most active around major releases, when new features introduce new attack paths.\"), mdx(\"h2\", {\n    \"id\": \"starting-safely-without-creating-noise\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#starting-safely-without-creating-noise\",\n    \"aria-label\": \"starting safely without creating noise permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Starting safely without creating noise\"), mdx(\"p\", null, \"The common fear is operational: spam reports, duplicates, low-value submissions, and overwhelmed teams. That outcome is avoidable. A strong launch looks like this:\"), mdx(\"ul\", null, mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Start with a private program.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Keep scope tight and explicit.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Make triage and remediation ownership real, not theoretical.\"), mdx(\"li\", {\n    parentName: \"ul\"\n  }, \"Expand only when response times and report quality are stable.\")), mdx(\"p\", null, \"A bug bounty program is not hard because researchers are difficult. It is hard when scope is unclear, response is slow, and severity discussions turn into endless negotiation. \", mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"Those are program design problems and they are solvable.\")), mdx(\"h2\", {\n    \"id\": \"how-hackrate-can-help-you-get-started\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#how-hackrate-can-help-you-get-started\",\n    \"aria-label\": \"how hackrate can help you get started permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"How Hackrate can help you get started\"), mdx(\"p\", null, \"If your applications change continuously, your security testing should reflect that reality. Bug bounty is not a replacement for everything else, but it is one of the few models that keeps producing value while the system changes.\"), mdx(\"p\", null, \"Hackrate can help you turn that idea into a program you can run. We can help you plan a safe private launch, shape scope so researchers spend time where it matters, and set expectations that keep the signal high for your team. If you are considering a bug bounty program in 2026, we are happy to talk, share what works in practice, and plan the next steps with you.\"), mdx(\"p\", null, \"Reach out through \", mdx(\"a\", {\n    parentName: \"p\",\n    \"href\": \"https://www.hckrt.com/Home/RequestADemo\",\n    \"target\": \"_blank\",\n    \"rel\": \"nofollow noopener\"\n  }, \"Hackrate\"), \" and we will take it from there.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate/","timeToRead":"4 min read","date":"January 05, 2026","dateString":"January 05, 2026","datePublishedSeoFormat":"2026-01-05","title":"Let 2026 be the year bug bounty becomes part of how you build and operate","excerpt":"This article explains why 2026 is the right time to make bug bounty a practical, continuous security feedback loop and how Hackrate can help you launch it with confidence.","tags":["hackrate","ethical-hacking","security-testing","news","getting-started"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACiElEQVQozz2SW08TURSF+2d9Nmpi9IFEUej9Qumd0um002mhlykthdZyiYA0JmCCFzBgFOycc2awD8Q/sFwt6sPOefvOt9faHjMsMB0jbKMUs1FM2NDSfFclCkWJVUNhpaqQW5fINiXSbYVUVyGxpbA8UFjaUYjuKUTeKoQOFTzVkICVUdgq36JruOhUXWzUXQIFVjWBfEkiZypk1xTSDYmUJZHsENaTWOpLxIYSEQJDBAaPCDSDAvW4RCun0NIcNHUHjYoDLU9YQWClJJCrSGRqtGvQzlIzYKKnEO/TkMDoriRQIjAD+mxUAjbKXLkct6HPVhYzw0LxL9Dkums0q9OKhtGuRHibkDeE0C5wQDtO4EhOgQLtrMKGxrVrLnpct1WlaZ2mTQe1lkJzy4HO7DJc27R+oW1NYNUnMBsu6jTX128QHo7hf0fDyqINi8B2gVDDQYslbFrMss0suy7aPX5AYJbgVOwCu8+/4OzVNT7O/cDx/CVGL69xOneDlHEJ73uXQK+NTp6QsoNNmlmmA5PtGixD07k28ytUBYEuvIHPCD34hPlHZ/A+Psf8swu8XrhEIPId4bqNwMi5N6xGWUxGokFLM08AM8zydLJ5GxnNRlLnyyiC0a94+HSEJ7ErvIj/RCL0DSvLV1hMnyPIPP3TUoyFMUp+3iBvUYvRaJkwlpNJ2khlCCM0UbQR08dIsuV075Yn4yC+qRAbOAjsOwgeuvDxbHxs2mPQ0PQLVNh2mTM98pODO3w4vsPp6A4n/+bkN5I1gdga4S2BSEcg1LMR7Av4hwK+fRoS6ikTaBCkczT/GHrExmBjgkFvgv72BNt9znCCLmd5CmRW0f9AcQ/cIXCPQEL/AIaBteTXc6cxAAAAAElFTkSuQmCC","aspectRatio":1.78397212543554,"src":"/static/215707898c57c1c20ffc63b34c9583ad/5d2c5/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png","srcSet":"/static/215707898c57c1c20ffc63b34c9583ad/6ba37/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png 512w,\n/static/215707898c57c1c20ffc63b34c9583ad/5d2c5/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.png 1000w","srcWebp":"/static/215707898c57c1c20ffc63b34c9583ad/36ebb/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.webp","srcSetWebp":"/static/215707898c57c1c20ffc63b34c9583ad/e4e36/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.webp 512w,\n/static/215707898c57c1c20ffc63b34c9583ad/36ebb/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate.webp 1000w","sizes":"(max-width: 1000px) 100vw, 1000px"}},"commentId":"/blog/Let-2026-be-the-year-bug-bounty-becomes-part-of-how-you-build-and-operate/","tableOfContents":{"items":[{"url":"#why-periodic-pentests-often-miss-what-matters","title":"Why periodic pentests often miss what matters"},{"url":"#continuous-development-needs-security-that-stays-on","title":"Continuous development needs security that stays on"},{"url":"#starting-safely-without-creating-noise","title":"Starting safely without creating noise"},{"url":"#how-hackrate-can-help-you-get-started","title":"How Hackrate can help you get started"}]},"lastModifiedTime":"2026-01-05T09:00:00.000Z","lastModifiedTimeString":"January 05, 2026"},{"id":"66c2cb26-28e3-53da-85a4-96732431949a","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"Ministry of Regional Development of the Czech Republic Launches Public Bug Bounty Program with Hackrate\",\n  \"description\": \"The Ministry of Regional Development of the Czech Republic partners with Hackrate to launch a public bug bounty program—empowering ethical hackers to strengthen national cybersecurity and set a precedent for the European public sector.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2025-07-16T09:00:00.000Z\",\n  \"image\": \"/img/blog/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png\",\n  \"tags\": [\"security-testing\", \"ethical-hacking\", \"news\", \"hackrate\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"We\\u2019re proud to announce that the Ministry of Regional Development of the Czech Republic (MMR) is launching its public bug bounty program on July 16, in partnership with Hackrate.\"), mdx(\"p\", null, \"This marks a significant milestone\\u2014not only for the Ministry but for the broader European public sector. Government institutions rarely open their systems to ethical hackers, but MMR is taking a bold, forward-thinking step to strengthen its cybersecurity posture through crowdsourced security testing.\"), mdx(\"h2\", {\n    \"id\": \"why-a-bug-bounty-program\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-a-bug-bounty-program\",\n    \"aria-label\": \"why a bug bounty program permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why a Bug Bounty Program?\"), mdx(\"p\", null, \"The Ministry operates a diverse range of IT systems that support critical public services. Recognizing the complexity, they\\u2019ve chosen to engage Hackrate\\u2019s global community of ethical hackers to identify and report vulnerabilities before malicious actors can exploit them.\"), mdx(\"p\", null, \"This approach ensures a broad spectrum of expertise and attack perspectives, far beyond what traditional security assessments can offer.\"), mdx(\"h2\", {\n    \"id\": \"how-the-bug-bounty-program-works\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#how-the-bug-bounty-program-works\",\n    \"aria-label\": \"how the bug bounty program works permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"How the Bug Bounty Program Works\"), mdx(\"p\", null, \"MMR\\u2019s program is unmanaged, meaning their internal security team is directly responsible for triaging and validating the vulnerability reports submitted by ethical hackers. This model gives them full control over the process while benefiting from the scale and diversity of the hacker community.\"), mdx(\"p\", null, \"To incentivize high-quality research, the Ministry has committed to awarding up to \\u20AC1000 for valid reports submitted during the testing phase - a strong commitment to meaningful collaboration with the ethical hacking community.\"), mdx(\"h2\", {\n    \"id\": \"a-model-for-public-sector-cybersecurity\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#a-model-for-public-sector-cybersecurity\",\n    \"aria-label\": \"a model for public sector cybersecurity permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"A Model for Public Sector Cybersecurity\"), mdx(\"p\", null, \"At Hackrate, we believe that transparency, collaboration, and continuous testing are essential pillars of modern cybersecurity. The Ministry\\u2019s decision to go public with their bug bounty program sets a powerful example for other government institutions across Europe.\"), mdx(\"p\", null, \"We\\u2019re honored to support this initiative and excited to see the impact of ethical hacking in securing public digital infrastructure.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate/","timeToRead":"2 min read","date":"July 16, 2025","dateString":"July 16, 2025","datePublishedSeoFormat":"2025-07-16","title":"Ministry of Regional Development of the Czech Republic Launches Public Bug Bounty Program with Hackrate","excerpt":"The Ministry of Regional Development of the Czech Republic partners with Hackrate to launch a public bug bounty program—empowering ethical hackers to strengthen national cybersecurity and set a precedent for the European public sector.","tags":["security-testing","ethical-hacking","news","hackrate"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAACHUlEQVQoz22SzU/bQBBH8++3VS+VeuqhoqKVeitVL9BSgQihCQmJ7fhjd722E4dAKPmOA4jD65AECSoOTyOttG9/M7MlT2W0Be8/3CglG0z4u7hnMLsV7lYktiBy5ih3IfUp8xWlts7wX2D9SEpHpNfFPVfzO9JkSdRaoDzBnb/AglKg07VgI1mhO3LW2YhTulcTuuktSmTaK9By8RH1DElobYqWy1b3iOMOJsmJ4o3QrKnXLF7tGtteYiSdaRdSi7V8xWLFKqEOFdX2GbvuPq3GH47LJ7TOGkQ6wZe0zUZKvZJSLVv8xhDTkhnWRfCQ1tnwmFikJdv2efV+hw97rykffmfr4xaftz9x8PuXiENOjwxeI6ElKSsHmubPMY0fU053xpx8HVH7Nub4yxBnf4oNChEGPoGjpYUMHUU4LRfXcfE9F60i3LrCqShqh22aJ32sJ207BbFbPKmLVbWezNBEIVnH0MkNJg5RJhKRPKC1bFVjraZ21KR5aMnCW5ljsSJ+gcSbyZaDgKhpaVekrSNNq6yJA0scJXRsF+Ursjijp8bk3pRutKQT3oj8OYm/JG6NZSlacbzdZfdNj723OfvvzkmcEXksX0UNydWUQVbQtzPOzYxeNKcbzsg3dH15xJ9xaeQfVvuUYiOtakMUGFT4QIwxCYEfMbq64KZYMJ9OmI5GLOYzBskIU7vEVs+xtQt67pC+PyGX2nWv+QesDRAeifNZ2QAAAABJRU5ErkJggg==","aspectRatio":1.78397212543554,"src":"/static/2459a3ea6baa8df39cff580d4b2af5a0/57f38/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png","srcSet":"/static/2459a3ea6baa8df39cff580d4b2af5a0/6ba37/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png 512w,\n/static/2459a3ea6baa8df39cff580d4b2af5a0/57f38/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.png 904w","srcWebp":"/static/2459a3ea6baa8df39cff580d4b2af5a0/491d1/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.webp","srcSetWebp":"/static/2459a3ea6baa8df39cff580d4b2af5a0/e4e36/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.webp 512w,\n/static/2459a3ea6baa8df39cff580d4b2af5a0/491d1/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate.webp 904w","sizes":"(max-width: 904px) 100vw, 904px"}},"commentId":"/blog/Ministry-of-Regional-Development-of-the-Czech-Republic-Launches-Public-Bug-Bounty-Program-with-Hackrate/","tableOfContents":{"items":[{"url":"#why-a-bug-bounty-program","title":"Why a Bug Bounty Program?"},{"url":"#how-the-bug-bounty-program-works","title":"How the Bug Bounty Program Works"},{"url":"#a-model-for-public-sector-cybersecurity","title":"A Model for Public Sector Cybersecurity"}]},"lastModifiedTime":"2025-07-16T09:00:00.000Z","lastModifiedTimeString":"July 16, 2025"}],"previous":{"id":"24743902-19cb-5b0a-8688-2f7c4de22d5b","author":"Balazs Pozner","body":"var _excluded = [\"components\"];\nfunction _extends() { _extends = Object.assign ? Object.assign.bind() : function (target) { for (var i = 1; i < arguments.length; i++) { var source = arguments[i]; for (var key in source) { if (Object.prototype.hasOwnProperty.call(source, key)) { target[key] = source[key]; } } } return target; }; return _extends.apply(this, arguments); }\nfunction _objectWithoutProperties(source, excluded) { if (source == null) return {}; var target = _objectWithoutPropertiesLoose(source, excluded); var key, i; if (Object.getOwnPropertySymbols) { var sourceSymbolKeys = Object.getOwnPropertySymbols(source); for (i = 0; i < sourceSymbolKeys.length; i++) { key = sourceSymbolKeys[i]; if (excluded.indexOf(key) >= 0) continue; if (!Object.prototype.propertyIsEnumerable.call(source, key)) continue; target[key] = source[key]; } } return target; }\nfunction _objectWithoutPropertiesLoose(source, excluded) { if (source == null) return {}; var target = {}; var sourceKeys = Object.keys(source); var key, i; for (i = 0; i < sourceKeys.length; i++) { key = sourceKeys[i]; if (excluded.indexOf(key) >= 0) continue; target[key] = source[key]; } return target; }\n/* @jsxRuntime classic */\n/* @jsx mdx */\n\nvar _frontmatter = {\n  \"templateKey\": \"blog-post\",\n  \"title\": \"Hackrate is now ISO 27001 certified\",\n  \"description\": \"In this article, we explain why ISO 27001 matters for a bug bounty platform. We also share how it supports our work with enterprise customers looking for a European bug bounty platform with strong security governance.\",\n  \"author\": \"Balazs Pozner\",\n  \"authorURL\": \"https://twitter.com/hackrate\",\n  \"date\": \"2026-06-30T09:00:00.000Z\",\n  \"image\": \"/img/blog/Hackrate_is_now_ISO_27001_certified.png\",\n  \"tags\": [\"hackrate\", \"news\"]\n};\nvar layoutProps = {\n  _frontmatter: _frontmatter\n};\nvar MDXLayout = \"wrapper\";\nreturn function MDXContent(_ref) {\n  var components = _ref.components,\n    props = _objectWithoutProperties(_ref, _excluded);\n  return mdx(MDXLayout, _extends({}, layoutProps, props, {\n    components: components,\n    mdxType: \"MDXLayout\"\n  }), mdx(\"p\", null, \"Hackrate has successfully completed the ISO/IEC 27001 certification process and is now an officially certified Ethical Hacking Platform. This milestone strengthens our position as a trusted European security partner for enterprises looking for a secure, expert-led bug bounty, VDP, and crowdsourced security testing platform.\"), mdx(\"h2\", {\n    \"id\": \"why-this-certification-matters\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-this-certification-matters\",\n    \"aria-label\": \"why this certification matters permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why this certification matters\"), mdx(\"p\", null, \"Bug Bounty Platforms operate in a sensitive part of the security ecosystem. They handle vulnerability reports, researcher identities, customer assets, technical evidence, remediation discussions, reward workflows, and in many cases, information about systems that are not publicly documented.\"), mdx(\"p\", null, \"For enterprise customers, trust is not only about the quality of the researchers. It is also about how the platform itself is governed, secured, operated, and audited.\"), mdx(\"p\", null, \"That is why ISO/IEC 27001 is an important milestone for Hackrate.\"), mdx(\"p\", null, \"The certification confirms that Hackrate operates an information security management system aligned with an internationally recognized standard. For customers, this gives a clearer answer to a question that often appears during procurement, vendor risk reviews, legal reviews, and tenders:\"), mdx(\"p\", null, \"\\u201CCan Hackrate support enterprise security expectations during long-term cooperation?\\u201D\"), mdx(\"p\", null, \"For a bug bounty platform, this question is not an administrative detail. It is part of the product.\"), mdx(\"h2\", {\n    \"id\": \"built-on-security-principles-from-the-beginning\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#built-on-security-principles-from-the-beginning\",\n    \"aria-label\": \"built on security principles from the beginning permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Built on security principles from the beginning\"), mdx(\"p\", null, \"Hackrate did not start thinking about information security only because of the certification process.\"), mdx(\"p\", null, \"From the early days of the company, we followed the principles of an ISO 27001-based security framework. This was not only a compliance decision. It was the natural way to build a platform that serves ethical hackers, security teams, and enterprise customers.\"), mdx(\"p\", null, \"Our work has always been close to real-world security operations. We understand how penetration testers think, how vulnerability reports are created, how triage decisions are challenged, and how customers evaluate technical risk.\"), mdx(\"p\", null, \"That background influenced how we built Hackrate from the start.\"), mdx(\"p\", null, \"Security was not treated as a separate department or a later-stage maturity project. It was part of platform design, operational decisions, access control, customer handling, and researcher management.\"), mdx(\"p\", null, \"The certification process gave us the opportunity to formalize, improve, and prove these practices.\"), mdx(\"h2\", {\n    \"id\": \"what-changed-during-the-certification-process\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-changed-during-the-certification-process\",\n    \"aria-label\": \"what changed during the certification process permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What changed during the certification process\"), mdx(\"p\", null, \"Going through ISO 27001 certification is not about having strong technical security. For Hackrate, many strong technical practices were already in place. Our CTO has consistently enforced strict cybersecurity expectations, a security-aware CI/CD process, and engineering decisions shaped by an ethical hacker mindset.\"), mdx(\"p\", null, \"Still, certification required us to improve the formal side of our security management.\"), mdx(\"p\", null, \"During the ISO 27001 process, we strengthened several internal areas. This did not change the core of Hackrate. It made the core easier to verify.\"), mdx(\"h2\", {\n    \"id\": \"leadership-with-security-and-audit-experience\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#leadership-with-security-and-audit-experience\",\n    \"aria-label\": \"leadership with security and audit experience permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Leadership with security and audit experience\"), mdx(\"p\", null, \"For Hackrate, ISO 27001 is also closely connected to leadership accountability.\"), mdx(\"p\", null, \"As the CEO of Hackrate, I have direct ISO 27001 auditor experience and hold a CISSP certification. In the ethical hacking field, this combination matters.\"), mdx(\"p\", null, mdx(\"strong\", {\n    parentName: \"p\"\n  }, \"A bug bounty platform must understand both sides of the table: the technical reality of vulnerability discovery and the governance expectations of enterprise security teams.\")), mdx(\"p\", null, \"This is especially important when working with customers in finance, healthcare, technology, and other regulated or risk-sensitive sectors.\"), mdx(\"p\", null, \"Security leaders do not only need a platform where researchers can submit findings. They need a partner that understands audit expectations, procurement requirements, evidence handling, vulnerability workflows, and the operational risks around coordinated testing.\"), mdx(\"p\", null, \"That is the level Hackrate is built for.\"), mdx(\"h2\", {\n    \"id\": \"why-this-matters-for-enterprise-customers\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#why-this-matters-for-enterprise-customers\",\n    \"aria-label\": \"why this matters for enterprise customers permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"Why this matters for enterprise customers\"), mdx(\"p\", null, \"ISO 27001 certification helps Hackrate in sales processes and tenders, but the real value is broader than a certificate on a procurement checklist.\"), mdx(\"p\", null, \"Enterprise customers need to reduce uncertainty.\"), mdx(\"p\", null, \"When a company starts a bug bounty program, launches a VDP, or opens systems to external ethical hackers, it must trust the operating model behind the platform.\"), mdx(\"p\", null, \"The platform needs to support controlled disclosure, clear scope management, secure report handling, researcher communication, triage workflows, and traceable decisions.\"), mdx(\"p\", null, \"The certification gives customers another layer of assurance that Hackrate is ready for that responsibility.\"), mdx(\"p\", null, \"It also makes Hackrate a stronger choice for European companies looking for a HackerOne or Bugcrowd alternative with ISO 27001 certification, direct access to senior security experts, and a community-driven operating model.\"), mdx(\"h2\", {\n    \"id\": \"a-certified-european-bug-bounty-platform\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#a-certified-european-bug-bounty-platform\",\n    \"aria-label\": \"a certified european bug bounty platform permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"A certified European bug bounty platform\"), mdx(\"blockquote\", null, mdx(\"p\", {\n    parentName: \"blockquote\"\n  }, \"Hackrate is now an officially ISO 27001 certified bug bounty platform.\")), mdx(\"p\", null, \"This matters because the bug bounty market is no longer only about access to researchers. The best programs require a secure platform, high-quality triage, clear customer communication, responsible disclosure processes, and a team that understands both offensive security and enterprise governance.\"), mdx(\"h2\", {\n    \"id\": \"what-comes-next\",\n    \"style\": {\n      \"position\": \"relative\"\n    }\n  }, mdx(\"a\", {\n    parentName: \"h2\",\n    \"href\": \"#what-comes-next\",\n    \"aria-label\": \"what comes next permalink\",\n    \"className\": \"anchor before\"\n  }, mdx(\"svg\", {\n    parentName: \"a\",\n    \"aria-hidden\": \"true\",\n    \"focusable\": \"false\",\n    \"height\": \"16\",\n    \"version\": \"1.1\",\n    \"viewBox\": \"0 0 16 16\",\n    \"width\": \"16\"\n  }, mdx(\"path\", {\n    parentName: \"svg\",\n    \"fillRule\": \"evenodd\",\n    \"d\": \"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"\n  }))), \"What comes next\"), mdx(\"p\", null, \"The certification is not the end of the work. ISO 27001 is a management system, not a one-time project. It requires continuous review, improvement, and accountability. That fits well with how Hackrate already operates.\"), mdx(\"p\", null, \"For us, this milestone confirms that Hackrate is ready to support more enterprise customers that want to start or mature their bug bounty and vulnerability disclosure programs.\"));\n}\n;\nMDXContent.isMDXComponent = true;","slug":"/blog/Hackrate_is_now_ISO_27001_certified/","timeToRead":"5 min read","date":"June 30, 2026","dateString":"June 30, 2026","datePublishedSeoFormat":"2026-06-30","title":"Hackrate is now ISO 27001 certified","excerpt":"In this article, we explain why ISO 27001 matters for a bug bounty platform. We also share how it supports our work with enterprise customers looking for a European bug bounty platform with strong security governance.","tags":["hackrate","news"],"lastModificationTime":null,"lastModificationTimeString":null,"dateModifiedSeoFormat":null,"hero":{"full":{"base64":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAACkUlEQVQoz2WSXTMbYRiG/drSqiDfsskmu0lJhBBEBBFUVHvCaA86o/K9m0/B0ERRo60c9KTTf3D1Ec56cM3syV5z38/9DuhjeTTBP5rDPyaMC9YcuquA7imiqSUCehl1soI6beCLmXjjVZREDU+qzsR6HfdmA9fbFs7dFgPB0Twx1SAVbZKM1FmJNliZaRJ0Fgi4BV8RNVDCFyrjDVdQZgw88yaeZ6FbhM5MA8d2E3tWhLolT9hRIuYziGsm80I8aKLbC/glpd/7JPQGyyh9odkX2ucNxhZMHKt1XJnmk/AxoTacIzRaQBvJoVmkqtTXx/OSsEhQKaH5ywSCFfSIiS8i6aIGrrkqkb0LFg+7+HfOsK5LQqncF+rDedYiTbYWTsnMtUnHTliZbrIstRdnpf5ym0Syzc6HDuFF+XGqwtJ+F7Nzz9fbO/Zrd6i7It16THgiCV/mSGg13q9esL14SiJUZyPeJrN8xtb6OclEG1Uryw0reKYMlFiNbPGWX72f/P3zm/ObH8wedrBs1LG/a4tw6Jg3lgIRa4nwI7YSUcVgUqkQ1k1CQQOvLK1IbSVsYBMOjHuqlzd8NM5pXz8QPXgS2voJB3MEBo/xC4Eh+ZbEqtxTtebxOgooHhlE7uh9TugQYWhNTpD7TvroG6nP11jTDWzbLcazIgy8EImk1F4dowva6xxeGcojA02I1C3PxyVSu6+Ee9JgIioLC1YZxpFsYElUsaWbcsNnoSbCefs5y54rllwdksoVxU8PVI4eKH/pUXrkuEex2JN3WMUpa7vnargW6jgSwmrjf2FkpEZ0tMW0pUnU1iKbumQv02F3s0N2u8tu9oqtbFcqPwmdszUc8Rp2EdpSDakswk0R7pzwD/BDdvw6NBvtAAAAAElFTkSuQmCC","aspectRatio":1.78397212543554,"src":"/static/b89c4cb518ddcb10e903513041c9adfc/5d2c5/Hackrate_is_now_ISO_27001_certified.png","srcSet":"/static/b89c4cb518ddcb10e903513041c9adfc/6ba37/Hackrate_is_now_ISO_27001_certified.png 512w,\n/static/b89c4cb518ddcb10e903513041c9adfc/5d2c5/Hackrate_is_now_ISO_27001_certified.png 1000w","srcWebp":"/static/b89c4cb518ddcb10e903513041c9adfc/36ebb/Hackrate_is_now_ISO_27001_certified.webp","srcSetWebp":"/static/b89c4cb518ddcb10e903513041c9adfc/e4e36/Hackrate_is_now_ISO_27001_certified.webp 512w,\n/static/b89c4cb518ddcb10e903513041c9adfc/36ebb/Hackrate_is_now_ISO_27001_certified.webp 1000w","sizes":"(max-width: 1000px) 100vw, 1000px"}},"commentId":"/blog/Hackrate_is_now_ISO_27001_certified/","tableOfContents":{"items":[{"url":"#why-this-certification-matters","title":"Why this certification matters"},{"url":"#built-on-security-principles-from-the-beginning","title":"Built on security principles from the beginning"},{"url":"#what-changed-during-the-certification-process","title":"What changed during the certification process"},{"url":"#leadership-with-security-and-audit-experience","title":"Leadership with security and audit experience"},{"url":"#why-this-matters-for-enterprise-customers","title":"Why this matters for enterprise customers"},{"url":"#a-certified-european-bug-bounty-platform","title":"A certified European bug bounty platform"},{"url":"#what-comes-next","title":"What comes next"}]},"lastModifiedTime":"2026-06-30T09:00:00.000Z","lastModifiedTimeString":"June 30, 2026"},"permalink":"https://blog.hckrt.com/blog/When-an-exposed-Google-Maps-key-becomes-an-AI-billing-risk/"}},"staticQueryHashes":["1209262222","1714442890","2703881467","888479136"]}