At OnlineHashCrack, we are committed to maintaining the security and privacy of our users. We recognize the importance of security researchers and ethical hackers in helping us identify and remediate vulnerabilities.
This Coordinated Vulnerability Disclosure Policy outlines how to report potential security issues responsibly, and what you can expect from us in response.

This policy applies to:

• All publicly accessible services under the domain onlinehashcrack.com
• API endpoints (authenticated and public)
• Frontend and backend applications
• Infrastructure components if they impact user data or availability

Out of scope:

• Denial of Service (DoS/DDoS) attacks
• Spam or social engineering techniques
• Physical attacks
• Third-party services OHC uses but does not control

We ask that you:

• Act in good faith and comply with applicable laws
• Avoid privacy violations, data exfiltration, or modifying data
• Do not access or attempt to access other user accounts or data
• Avoid scanning or testing that could degrade our service
• Use the official reporting channel (see below)

We will consider your report valid if:

• It includes clear reproduction steps
• It targets an asset within scope
• It demonstrates actual or potential impact

Please send vulnerability reports to: [email protected].
Your report should include:

• A detailed description of the vulnerability
• Affected URLs, parameters, and sample requests (if applicable)
• Proof of Concept (PoC) or exploit code (if available)
• Impact assessment and severity estimate (CVSS score if possible)
• Your contact information and optional public disclosure preference

If you follow the rules in this policy:

• We will acknowledge receipt within a few business days
• We will work with you to remediate the issue quickly
• We may publicly credit you (with consent) once resolved
• We will not pursue legal action against you for good-faith efforts

While we not operate a formal bug bounty program at this time, we may offer:

• Public recognition on our Hall of Fame page
• Platform credits
• Priority access to new features or services

Subject to internal review and impact assessment.

We consider activities conducted consistent with this policy to be:

• Authorized
• Exempt from legal action
• Exempt from contract violations
• Exceptions apply if your actions cause harm or violate user privacy.