Methodology

Disclosure Policy

HasFocus follows a structured responsible disclosure process to protect users while giving project teams adequate time to remediate.

Reporting a Vulnerability

If you discover a vulnerability in a project that HasFocus has audited, or in HasFocus infrastructure itself, please report it to security@hasfocus.com. Include a clear description, reproduction steps, and any proof-of-concept code.

Timeline

  • Day 0: Vulnerability reported to the affected project team privately.
  • Day 1-7: Initial assessment and severity classification.
  • Day 7-30: Remediation window. The project team implements and deploys fixes.
  • Day 30-90: Grace period. If the fix is complex or requires a migration, we extend the window.
  • Day 90+: Public disclosure. If the project team has not remediated after 90 days, we reserve the right to publish the finding to protect users.

What We Publish

Disclosed findings are published to our Disclosures page with full technical detail, including the affected codebase version, severity, root cause analysis, and remediation status.

Safe Harbour

HasFocus will not pursue legal action against researchers who discover and responsibly report vulnerabilities in good faith, provided they do not exploit the vulnerability beyond what is necessary for a proof of concept.

Bug Bounties

Some of our audit clients maintain independent bug bounty programs. Where applicable, we will direct researchers to the appropriate program. HasFocus does not currently operate its own bug bounty program.