The following versions of HackGPT Enterprise are currently supported with security updates:
| Version | Supported | End of Life |
|---|---|---|
| 2.0.x | β Yes | TBD |
| 1.x.x | 2026-01-01 | |
| < 1.0 | β No | 2025-12-31 |
If you discover a security vulnerability in HackGPT Enterprise, please help us maintain the security of our users by following responsible disclosure practices.
Primary Contact:
- Email: [email protected]
- Subject:
[SECURITY] HackGPT Vulnerability Report - PGP Key: Available upon request
Please Include:
- Vulnerability Description: Clear, detailed description of the issue
- Affected Versions: Which versions of HackGPT are affected
- Attack Vector: How the vulnerability can be exploited
- Impact Assessment: Potential impact and severity
- Proof of Concept: Step-by-step reproduction (if safe to share)
- Suggested Fix: If you have ideas for remediation
- Contact Information: How we can reach you for follow-up
- Acknowledgment: Within 24-48 hours of your report
- Initial Assessment: Within 1 week
- Status Updates: Every 7-14 days until resolution
- Coordinated Disclosure: Timeline discussion for public disclosure
- Credit: Public acknowledgment (if desired)
| Severity | Initial Response | Fix Timeline |
|---|---|---|
| Critical | < 24 hours | 1-7 days |
| High | < 48 hours | 7-30 days |
| Medium | < 1 week | 30-90 days |
| Low | < 2 weeks | Next release |
The following components are within scope for security research:
- Core Application: Main HackGPT Enterprise application
- Web Interface: Dashboard and user interfaces
- API Endpoints: REST API and authentication
- Database Layer: Data storage and retrieval
- Authentication System: User login and session management
- File Processing: Upload/download functionality
- Network Communication: Inter-service communication
- Docker Containers: Container security configurations
- Dependencies: Third-party libraries and components
The following are explicitly out of scope:
- Denial of Service: DoS/DDoS attacks against our infrastructure
- Physical Security: Physical access to systems
- Social Engineering: Attacks against our team members
- Third-party Services: Issues with external services we integrate with
- Spam/Phishing: Email spam or phishing attempts
- Brute Force: Credential brute force attacks with common passwords
We maintain a security researcher hall of fame to recognize those who help improve our security:
Current Contributors: List will be updated as researchers are acknowledged
- Public Recognition: Listed in security advisories and hall of fame
- Social Media: Mentioned on ZehraSec social media channels
- Conference Mentions: Acknowledged at security conferences (when appropriate)
- Anonymous: Option to remain anonymous if preferred
- Swag: HackGPT and ZehraSec branded items for significant contributions
While we don't currently have a formal bug bounty program, we do provide:
- Recognition: Public acknowledgment of your contribution
- Merchandise: ZehraSec branded items
- Recommendation: LinkedIn recommendations for your security research skills
- Future Opportunities: First consideration for any future bug bounty programs
Bounty Considerations:
- Critical Vulnerabilities: Remote code execution, authentication bypasses
- High Impact: Privilege escalation, data exposure
- Unique Findings: Novel attack vectors or bypass techniques
- Quality Reports: Well-documented findings with clear impact assessment
Application Security:
- Input validation and sanitization
- SQL injection prevention
- XSS protection mechanisms
- CSRF token implementation
- Secure session management
- Password security requirements
- Rate limiting and throttling
Infrastructure Security:
- TLS 1.3 encryption in transit
- AES-256-GCM encryption at rest
- Multi-factor authentication support
- LDAP/Active Directory integration
- Container security scanning
- Dependency vulnerability scanning
- Regular security updates
Development Security:
- Secure development lifecycle (SDLC)
- Code review requirements
- Static application security testing (SAST)
- Dynamic application security testing (DAST)
- Dependency vulnerability scanning
- Container image scanning
Regular Security Assessments:
- Monthly automated vulnerability scans
- Quarterly penetration testing
- Annual third-party security audits
- Continuous dependency monitoring
- Container security scanning
- Code quality analysis
- Static Analysis: Bandit, SemGrep, CodeQL
- Dependency Scanning: Safety, Snyk, Dependabot
- Container Scanning: Trivy, Clair, Docker Scout
- Network Security: Nmap, Burp Suite, OWASP ZAP
- GitHub: @yashab-cyber
- LinkedIn: Yashab Alam
- Company: ZehraSec
- WhatsApp: Business Channel
We may present HackGPT security research at:
- DEF CON
- Black Hat
- RSA Conference
- BSides events
- Local cybersecurity meetups
- Permission Required: Only test against systems you own or have explicit permission to test
- Legal Compliance: Follow all applicable laws and regulations
- Responsible Disclosure: Follow coordinated disclosure timelines
- No Harm: Avoid any actions that could harm users or systems
We support security research conducted in accordance with this policy. We will not pursue legal action against researchers who:
- Follow the reporting process outlined above
- Do not access, modify, or delete user data
- Do not disrupt our services or infrastructure
- Do not publicly disclose vulnerabilities before coordinated disclosure
- Act in good faith to help improve security
HackGPT Enterprise supports compliance with:
- SOC 2 Type II (in progress)
- ISO 27001 (planned)
- OWASP ASVS Level 2
- NIST Cybersecurity Framework
- PCI DSS (for payment processing)
- GDPR (for EU users)
- CCPA (for California users)
For enterprise customers requiring security audits:
- Security architecture documentation
- Penetration testing reports
- Vulnerability assessment reports
- Compliance certification status
- Security control implementation details
This security policy is reviewed and updated quarterly to ensure it remains current with:
- Industry best practices
- Regulatory requirements
- Technology changes
- Community feedback
- Lessons learned from security research
Last Updated: August 18, 2025 Next Review: November 18, 2025 Version: 1.0
Security Team Lead: Yashab Alam
Email: [email protected]
Company: ZehraSec
Website: www.zehrasec.com
Thank you for helping keep HackGPT Enterprise and its users safe!
Made with β€οΈ by the HackGPT Enterprise security team