HotCRP takes security seriously. We appreciate researchers who disclose security issues responsibly, and appropriately acknowledge researchers who report security bugs.

To report a security issue in HotCRP, or in the HotCRP.com service, you may email the HotCRP maintainer at ekohler@gmail.com, or report a security advisory on GitHub.

We will send a response to indicate next steps and keep you informed as you develop a fix.

Researchers are welcome to deploy and test open-source HotCRP on their own infrastructure. Researchers may also probe test sites they create via test.hotcrp.com. Researchers may not attack or probe other HotCRP.com sites unless they obtain prior authorization from the HotCRP.com maintainer. Inappropriate information extraction from or modification of HotCRP.com sites may lead to account suspension or termination, and to further consequences, including escalation to ACM, IEEE, and other appropriate ethics boards. A user who discovers an apparent security bug on a HotCRP.com site must promptly report the issue and not share information about the bug with others.