Hack Club Rules of Engagement

Hack Club is built on the principles of respect and trust, and we expect all members to follow these rules when responsibly disclosing security vulnerabilities. We also hold ourselves to the same standards as respect is a two-way street.

When we refer to "we" as a security team, we are referring to the Hack Club Security Team. "Aegis" is the name of our web platform, but can also refer to the team itself.

1. You as a researcher

As a researcher, you are expected to follow these rules when responsibly disclosing security vulnerabilities.

  • Respect the rules. Operate within the rules set forth by each program, or speak up if in strong disagreement with the rules.
  • Respect privacy. Make a good faith effort not to access or destroy another user's data or other sensitive information.
  • Be patient. Make a good faith effort to clarify and support their reports upon request.
  • Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

2. We as a security team

We also hold ourselves to the equivalent standards.

  • Prioritize security. Make a good faith effort to resolve reported security issues in a prompt and transparent manner.
  • Respect finders. Give finders public recognition for their contributions.
  • Reward research. Financially incentivize security research when appropriate.
  • Do no harm. Not take unreasonable punitive actions against finders, like making legal threats or referring matters to law enforcement.

3. Programs

Hack Club often has multiple programs running at the same time, often with their own rules and guidelines for how to handle security vulnerabilities. This document only serves as a baseline for all programs and to be the rules for when a program is not able to define their own rules and guidelines.

Note: Programs are free to define their own rules and guidelines, and those rules and guidelines will take precedence over this document. In the event of a dispute of the program's rules and guidelines, the Hack Club Security Team will be the final arbiter.

4. Safe Harbor

Safe Harbor means we support the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

This means that, for activity conducted while this program is active, we:

  • Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and,
  • Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.

5. Conflicts of Interest

Having a conflict of interest means that you have a personal stake in the program. What this looks like in practice is if you are actively working for the program, filing a security report against it would be considered a conflict of interest and make you ineligible to receive any bounty payouts

Programs are able to make their own rules regarding conflicts of interest and it is up to their discretion.

6. Payments

Some programs may offer bounties for security research, while others may not. It is up to the program to decide whether or not to offer bounties.

If a program chooses to offer bounties, Aegis will handle the payment of bounties to the researcher. The researcher can choose to receive the bounty in the following ways:

  • ACH transfer (limited to US residents)
  • Mailed check (limited to US residents)
  • Wise transfer*
  • Cryptocurrency**
  • Donation to a nonprofit on your behalf
  • Zelle

* We offer Wise as a option for researchers abroad. Wise is a global partner that often supports local payment methods (e.g. UPI in India, Interac in Canada, Alipay and WeChat Pay in China, etc.) which can be cheaper than traditional bank transfers. We also support paying out to a Wise user name. Wise charges transaction fees on all transfers, you are responsible for these fees. For example, if the Wise fee on a transfer is 1% and your bounty is $100, you will receive $99. Please confirm your payment method before submitting your report.

** Cryptocurrency is offered via Coinbase and Kraken. Only assets that are listed by these platforms will be available. All payouts done in USDC will be free minus any applicable gas fees (average gas fee is less than $0.10), while all other coins will be subject to a 1% trading fee charged by the exchange.

Because we're based in the United States, we aren't able to pay bounties to residents or those who report vulnerabilities from a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC).

All payouts are priced in U.S. dollars (USD). You are responsible for the tax consequences of any bounty you receive, as determined by your local tax laws.

7. Contact

We are always open for questions or concerns. Please contact us at [email protected].

Last updated: December 2025