Hello Interview – Vulnerability Disclosure Policy (VDP)

Our commitment

Scope

• hellointerview.com and all subdomains we operate.
• Publicly reachable services and APIs owned and operated by Hello Interview.

• Informational email/DNS hardening items (e.g., missing MTA-STS/TLSRPT, SPF “softfail” tuning, DMARC alignment suggestions).
• Non-exploit security headers/best-practice suggestions (HSTS/Content-Security-Policy tweaks, cookie flags) on non-sensitive pages.
• Clickjacking or mixed content on marketing pages.
• Self-XSS, tapjacking, or issues requiring the victim to paste code into their own browser/devtools.
• Open redirects without demonstrated impact.
• Missing rate limits or brute-force theories without viable exploitation.
• Deprecated TLS/cipher warnings without a working exploit.
• DoS/volumetric attacks, spam, social engineering, phishing, physical security, third-party services we don’t control, automated scanner noise.

Rules of engagement

• Do no harm. Don’t disrupt services, degrade performance, or exfiltrate data. If you encounter user data, stop immediately and report the minimal details needed to reproduce.
• Use test accounts only. Don’t access anyone else’s data or accounts.
• No privacy violations. Don’t attempt to access PII beyond what’s necessary to demonstrate impact.
• No lateral movement or persistence.
• Follow the law and this policy at all times.

How to report

• Affected host/service and vulnerability type
• Step-by-step reproduction, a minimal proof of concept, and expected vs. actual behavior
• Impact assessment (what data/action is at risk)
• Your contact info and whether we may credit you publicly

Coordinated disclosure

• Please keep details confidential for up to 90 days after we acknowledge receipt, or until we confirm remediation/acceptance of risk—whichever comes first. We may request an extension for complex fixes.

Triage & response

• Acknowledgement: within 2 business days
• Triage decision: within 7 business days (Confirmed / Needs more info / Not applicable)
• Remediation: Based on severity. We prioritize Critical/High; Informational/Low will usually be closed as “won’t fix.”
• We don’t operate a paid bug bounty at this time.

Safe harbor (legal)

• We consider your testing authorized under the Computer Fraud and Abuse Act and similar laws.
• We won’t pursue civil action or contact law enforcement solely for your research.
• Third-party legal claims are outside our control, but we will publicly state that your actions were conducted under this policy.