OpenCIRT has been created by a hacker, and one of his main purposes is to protect hacker’s identity and allow ethical hackers to report vulnerabilities to any company without the fear of a “backfire effect”.
We are proud to say that protecting hackers’ identity is built-in our mission and spirit.
While we believe that ethical hacking activity should not be subject to legal issues, unfortunately the reality is different and that’s why we have measures to keep hackers’ identities private on our platform.
First of all, we support anonymous reports, and of course, that is always the most anonymous way.
Our servers have an HTTP access log retention of only 3 days (for debug purposes), so even if you are not on a VPN – which is strongly advised – the only trace you can leave is your IP which will be gone in a few days and not stored with the report’s data.
While we support anonymous submission, we strongly recommend hackers to fill in their data with reports, so we can notify them of any progress and most importantly we will be able to reward hackers if/when a company decides to award a bounty.
All the hackers’ data are encrypted at rest and retained only for the time necessary to process the report. When a report is closed, hackers’ data are wiped out and unrecoverable.
All the payments are processed without any reference or link to the report.
We don’t store payments data, that part is handled via email directly with hackers.
Do you have ideas to make our privacy framework better? Get in touch!