Hydra Labs takes the security of our products and the people who use them seriously. If you have found a vulnerability, we would like to hear about it before it is disclosed publicly.
Reach the team
All security reports go through our Discord.
DM a team member privately. Please do not file public issues or tickets.
What to include in the report
DM a Hydra Labs team member on the Discord server with:
- Affected product or domain.
- Steps to reproduce, including any proof-of-concept code.
- Impact and the kind of data or accounts that could be affected.
- Your name or handle for credit, if you would like it.
Please do not open public issues, file tickets, or share details on social media until we have had a chance to investigate and patch. Discord is the only contact channel for security disclosures.
What we promise
- An initial response within 48 hours, most of the time within 24.
- A fix or mitigation timeline once we have triaged the report.
- Credit in our security acknowledgements if you would like it.
- No legal action against good-faith researchers who follow this policy.
In scope
- hydralabs.uk and any other domain we operate.
- FiveRoster, FiveBrowse, Guildbase, DCX, and Phantom, including their public APIs.
Out of scope
- Vulnerabilities in third-party services we use, unless directly exploitable through our products.
- Reports based purely on automated scanning output without proof of impact.
- Social engineering of staff or users.
- Denial-of-service attacks.
Thank you
We rely on the security community to keep our products safe. We appreciate every researcher who takes the time to report responsibly.