Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What is this page of transactions for? https://hcb.hackclub.com/hq/transactions

I get that you want to be "open", but is everyone involved in these transactions ok with them being shared? Even if they are, this doesn't seem like a good idea security wise. I see partial account numbers and other IDs/numbers that I assume you'd prefer not be public, regardless of how insensitive they may seem now.

EXPENSIFY, INC. VALIDATION XXXXXX5987 THE HACK FOUNDATION +$0.89

FRONTING $10,000 TO CHRIS WALKER FOR GITHUB GRANTS MADE FROM PERSONAL ACCOUNT -$10,000.00

CHECK TO LACHLAN CAMPBELL +$800.00

Transfer to Emma's Earnings -$1,923.08





Hi @cirrus3,

You've found an optional feature called Transparency Mode!

I admit, this is A LOT of information being made accessible. We at Hack Club (the nonprofit organization behind HCB, and the owner of the transactions above) have chosen to make our finances publicly available on the internet. You can read more about it here: https://blog.hcb.hackclub.com/posts/transparent-finances-opt...

That link (https://hcb.hackclub.com/hq/transactions) shows our donations and spending down to the cent since we believe donors deserve to know what their contributions are funding. As a nonprofit, you can talk about what you’re spending money on, but transparency in every transaction builds trust for supporters. This level of transparency is definitely atypical, and I can see why it may raise concerns.

Other organizations using HCB (such as Reboot) can choose to enable this feature too (it's off by default), and they're briefed on the potential risks and level of exposure to decide whether it's right for their organization/team. HCB supports 6.5k nonprofits, and roughly 64% of organizations have chosen to enable this feature.

> I see partial account numbers and other IDs/numbers that I assume you'd prefer not be public, regardless of how insensitive they may seem now.

> EXPENSIFY, INC. VALIDATION XXXXXX5987 THE HACK FOUNDATION +$0.89

Good catch! Thanks for flagging that verification deposit. I've pushed a fix here: https://github.com/hackclub/hcb/pull/12336

As for the account numbers (e.g. XXXXXX5987) visible in some transactions, these are our own defunct operating accounts, and we're aware they're out there on the internet. We have a new way of managing account numbers via Column.com, so these older transactions are less of a concern for me.

I very much appreciate you bringing these to my attention! We're always looking to improve, so I'd love to hear if you find anything else.

reply


Not just for hack club - but transactions for another organization that is using their software is public. https://hcb.hackclub.com/reboot/transactions?page=13

Not sure if all the organizations using their software know this.

reply


They have this page for reporting: https://github.com/hackclub/hcb/blob/main/SECURITY.md

reply


Please look at this @mohamad08

The numbers and amounts used for account validations and adding it to be able to pull or push money . Should not be shown public..

reply


It's a hack job...

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: