Security & Trust

Report Security Issues

Help us keep hananoa.com safe — we review all legitimate reports and resolve issues quickly.

If you have found a security vulnerability on hananoa.com, we encourage you to contact us immediately. We review all legitimate reports and aim to resolve issues as quickly as possible. Before reporting, please read this document carefully — including our fundamentals, bounty program, reward guidelines, and non-reportable issues.

🔐
Responsible Disclosure We appreciate the work of security researchers and are committed to working with the community to identify and resolve security issues responsibly. Thank you for helping keep Hananoa and our customers safe.
Fundamentals

If you follow the principles below when reporting a security issue to hananoa.com, we will not initiate legal action or enforcement investigations against you in response to your report. We ask that:

  • You give us reasonable time to review and fix the issue before disclosing it publicly or sharing it with others.
  • You do not interact with or access private accounts without the account owner's explicit consent.
  • You make a good-faith effort to avoid privacy violations, service disruptions, or data destruction.
  • You do not exploit the issue for any reason — including to demonstrate further risk or access sensitive data.
  • You comply with all applicable laws and regulations throughout your research and disclosure.
Bounty Program

We recognize and reward security researchers who help protect our platform by reporting vulnerabilities. Bounties are awarded at Hananoa LLC's discretion, based on risk, impact, and report quality.

To potentially qualify for a bounty, you must:

  • Follow the fundamentals listed above.
  • Report a valid security bug that poses a real risk to privacy or security.
  • Submit your report directly to us via email — please do not contact employees directly.
  • Disclose any accidental privacy violations or disruptions in your report.
  • Understand that while we investigate all valid reports, priority is based on risk level and a response may take some time.
  • Agree that we reserve the right to publish submitted reports.
Rewards

Rewards are based on the impact and severity of the vulnerability. Please provide detailed and fully reproducible steps in your report — if the issue cannot be reproduced, it is not eligible for a bounty. The first valid report of an issue receives the bounty. Multiple bugs caused by a single underlying issue are treated as one report.

Critical
$200
  • Remote Code Execution
  • Remote Shell / Command Execution
  • Vertical Authentication Bypass
  • SQL Injection leaking targeted data
  • Full account takeover
High
$100
  • Lateral authentication bypass
  • Sensitive internal data disclosure
  • Stored XSS affecting other users
  • Local file inclusion
  • Insecure auth cookie handling
Medium
$50
  • Logic or business process flaws
  • Insecure object references
Low
Recognition
  • Open redirects
  • Reflected XSS
  • Low-sensitivity information leaks
📋
Report Quality Matters We assess all rewards based on impact, exploitability, and the quality of the report. Detailed, reproducible reports with clear steps are prioritized. Vague or unreproducible reports are not eligible for a bounty.

Contact Information

📍
Address 12820 Go Wy Ave
Pocatello, ID 83202, USA
Phone +1 (208) 844-3721
Email Contact@hananoa.com
🕐
Business Hours Mon – Sat: 9:00 AM – 5:00 PM
Sunday: Closed