At Hapio, as an application accessible to a global audience, we receive multiple reports each week from various security researchers. Many of these reports highlight similar concerns, and while we do not have a formal bounty program, some researchers occasionally expect compensation merely for reaching out to us.

We take all security reports seriously and ensure every submission is thoroughly reviewed. However, as a relatively new player on the global stage, we must acknowledge the reality of finite resources. Each hour spent addressing security reports is an hour not invested in enhancing the Hapio platform for our users. In light of this, we have decided to revise our approach to processing security concerns.

Effective December 2024, we will implement a clearer policy distinguishing between reports related to our domains. The rationale behind this decision is straightforward: the hapio.io website operates independently of the technology powering the hapio.app and hapio.net platform. While we fully understand the importance of safeguarding the hapio.io website against potential threats such as hacking, defacement, or spoofing, our primary focus will always remain on ensuring the security and reliability of the Hapio.app portal and Hapio.net booking API, which serves our valued customers.

Hapio.io reports

Reports related to the hapio.io domain and its associated technology are categorized as low priority. While these submissions will be reviewed, they may experience delays in processing. Please note that monetary rewards are not issued for hapio.io reports, as most findings are not critical when evaluated in the appropriate context.

We encourage researchers to focus on high-impact vulnerabilities rather than results generated solely by automated tools like Snyk, OpenVAS, or Nikto, which often flag issues that, while noteworthy, do not constitute severe threats.

We remain committed to maintaining the security of our public-facing website and appreciate the effort of researchers who contribute to its safety.

Hapio.app and Hapio.net reports

Reports concerning the hapio.app and hapio.net domains and the technology that supports this platform are treated with the highest priority and submissions will be reviewed promptly.

• Validation Encouraged:
  To maximize the chances of recognition, we recommend using the free tier of Hapio to confirm that the issue is reproducible and meets vulnerability criteria before submitting your report.
• No Guarantee of Payment:
  We do not guarantee any rewards at this time.

Recognition and Trust

We understand that trust is integral to the researcher-company relationship. To ensure fair evaluation, we will collaborate with an independent expert to assess the severity of vulnerabilities and determine appropriate severity of the report. This approach allows us to uphold transparency and credibility.

We recognize the efforts of researchers through non-monetary incentives, such as inclusion in our Hall of Fame for impactful disclosures. While we cannot guarantee any monetary rewards for submission, we are committed to acknowledging contributions that help secure our systems.

Submission Guidelines

To streamline the process and ensure timely responses, all security disclosures must be submitted to support@hapio.io. Reports sent via other channels – such as customer support forms, technical support chats, social media, GitHub, or product discovery channels – will not be processed and may be flagged as spam.

• Expected Timelines:
  We strive to have an initial assessment conducted within 5 business days, and submissions deemed to be high priority reports will receive an acknowledgment within 72 hours of assessment. Timeline is not guaranteed and may shift depending on real world events and workload.
• Submission Format:
  Please include detailed steps to reproduce the issue, evidence supporting the vulnerability, and the potential impact. Including this information helps us process your report efficiently and increases the likelihood of recognition.
• Artificial Intelligence:
  If your report has been generated or assisted by artificial intelligence tools (e.g., ChatGPT, Claude, CoPilot, Perplexity), please disclose this and specify the extent to which AI was used. Note that AI tools can sometimes produce inaccurate or non-existent vulnerabilities. To ensure the quality and accuracy of submissions, please refrain from using AI-generated content where possible, as we do not have the resources to validate low quality AI-generated submissions.