Security & Responsible Disclosure
We take the security of HackHQ and our customers' events seriously. If you have found a vulnerability, here is how to report it and what to expect.
How we protect your data
Organizers trust us with their participants' data. Here are the safeguards built into HackHQ.
Account security
Passwords are hashed and never stored in plain text. Email verification is required, two-factor authentication is available, and sensitive endpoints are rate-limited against brute-force attempts.
Encryption
All traffic is encrypted in transit over HTTPS/TLS, and your data is encrypted at rest in our cloud infrastructure.
Payments
Payments are processed by Stripe, a PCI-DSS Level 1 provider. HackHQ never sees or stores your full card number.
Application safeguards
Secure, HTTP-only session cookies and CSRF protection on authenticated actions. Each organization and event is access-scoped to its authorized members.
For how we collect, use, and let you control your data, see our Privacy Policy.
Where your data lives
We rely on a small set of trusted infrastructure providers to run HackHQ. Each one only receives the data needed to deliver its part of the service.
Our commitments
Beyond the technical safeguards, here is how we operate.
You can delete your data at any time
Delete your account or any event from your settings. Your data is removed from our active systems immediately. Encrypted database backups follow our infrastructure providers' standard retention schedules and are typically purged within 30 days, after which deleted data is no longer recoverable.
Limited internal access
Access to production systems and customer data is restricted to authorized personnel, logged, and used only to support customers or investigate incidents.
Incident notification
If a security incident affects your data, we will notify affected customers without undue delay.
FERPA-covered institutions
HackHQ is used by universities and other institutions subject to the Family Educational Rights and Privacy Act. When you run an event with student records on HackHQ, we act as a school official under your direction. We process those records only to provide the service you have asked us to provide, and we do not use them for any other purpose.
A Data Processing Agreement is available on request. Contact legal@hackhq.io to request one or to discuss specific institutional requirements.
Report a vulnerability
Email our security team directly with the details below. This is a dedicated channel for security reports, not a general support inbox.
What to include in a report
We cannot act on vague reports. The more of this you provide, the faster we can validate and fix the issue.
Affected target
The exact URL or endpoint where the issue occurs.
Reproduction
Clear, step-by-step instructions to reproduce it.
Impact
What an attacker could actually do by exploiting it.
Evidence
Proof of concept, screenshots, or sample requests.
In scope
- Authentication and authorization flaws
- Injection, remote code execution, or data exposure
- Issues that let one user access another user or event data
- Vulnerabilities in our web application at hackhq.io
Out of scope
- Reports with no demonstrated impact or reproduction steps
- Automated scanner output without a verified, exploitable finding
- Missing best-practice headers with no concrete exploit
- Denial-of-service, social engineering, or physical attacks
Responsible disclosure
Please give us a reasonable amount of time to investigate and address an issue before any public disclosure. Do not access, modify, or delete data that is not yours, and do not run denial-of-service or other destructive testing against our systems. Acting in good faith under this policy means we will not pursue legal action related to your research.
We do not currently run a paid bug bounty program. We recognize valid reports with our thanks and, where appropriate, public credit for your responsible disclosure.
Our machine-readable contact information is published at /.well-known/security.txt following RFC 9116.