an image of three HackerOne team members working together at their laptop

Clear Rules of Engagement

Hackers participating in Clear Programs often have increased levels of internal access, credentials or additional parameters. This document describes the Rules of Engagement and Additional Terms (these “RoEs”) for being part of HackerOne Clear and participating in HackerOne Clear Programs. By being a part of HackerOne Clear, you must accept and abide by these Rules of Engagement and all terms and conditions outlined below. Additionally, by participating in any programs on HackerOne, all Finders agree to help empower our community by following the HackerOne Code of Conduct (CoC). The CoC is in addition to the General Terms and Conditions and Finder Terms and Conditions all Clear hackers agree to when creating an account.

 

Code of Conduct

Background Checks and ID Verification

In order to qualify as a HackerOne Clear Finder, HackerOne must confirm certain information about you. By accepting these HackerOne Clear RoEs, you agree that HackerOne may conduct such background investigations and ID Verification as these are necessary to participate in Clear Programs and you hereby consent to HackerOne conducting these investigations and verifications. You must be a legal adult to be eligible for Clear. Without limiting the foregoing, among other things, HackerOne may request reports containing information about you from third ­party agencies that may contain information relating to, among other things, your criminal record, character, identity verification and reputation and may be conducted on a recurring basis while you remain an HackerOne Clear Finder. The types of information that may be obtained include, among other things, social security number (or Federal employer identification number or taxpayer number, if applicable) verifications, criminal records checks, public court records checks, governmental sanctions and professional references checks. Again, by agreeing to these terms, you hereby consent to HackerOne obtaining these reports through the third party vendors HackerOne may utilize for such reports. You may obtain a copy or summary of the reports on written request.

Current Vendor for ID Verification: Berbix
Current Vendor for Background Checks: First Advantage

Respect Confidentiality and Disclosure Guidelines and NDAs

H1 Clear Finders must strictly comply with all confidentiality guidelines, requirements and obligations related to the HackerOne Clear Programs in which they participate. These guidelines apply to vulnerability information, customer information, policy or scope details, bugs, account information, or any other Program-specific information.

If a Program requires an additional NDA or other contractual agreement, it is fundamental to respect these signed documents and comply with their requirements. Disclosing information in violation of confidentiality guidelines and/or applicable NDAs/contracts is strictly prohibited. Failing to comply will be a breach of your obligations to the customer and could result in direct action against you.

No disclosure of any vulnerability reports from any H1 Clear Programs may be made without the H1 Clear Customer’s explicit written approval via a communication within the HackerOne platform. This supersedes the standard disclosure process described in the HackerOne Disclosure Guidelines available at https://www.hackerone.com/disclosure-guidelines.

Without limiting any confidentiality obligations you may have under the H1 Clear Customer’s program, you agree that you can make no disclosure of any H1 Clear Customer’s name without explicit written approval from the customer via in-platform communication.

Specifically, and without limiting the prior statement, you may make no posting on social media regarding any H1 Clear Customer or H1 Clear Program and related activities without explicit written permission from the customer. Requests for such permission needs to be in written format via the HackerOne platform.

 

Respect HackerOne's Code of Conduct

All Clear Finders must adhere to HackerOne’s Code of Conduct; we expect all HackerOne Clear Finders to act in accordance with the highest professional and ethical standards. Any violation of these terms, misbehavior or other code of conduct violations could result in immediate termination as an HackerOne Clear Finder and removal from Clear Programs and/or the Platform generally.

Use Gateway or "Tag Your Traffic"

Whenever a Clear Program Policy requires use of HackerOne’s Gateway, or other tagging of testing traffic, Clear Finders must follow the applicable policy rule as doing so is a requirement to remain enrolled in Clear and to participate in the particular Program. Avoiding using Gateway or forgetting to tag your traffic could result in sanctions or removal from HackerOne Clear.

Be Professional

Being professional and respectful towards customers, HackerOne personnel and other researchers is a key element of being a Clear Finder As such, Finders in HackerOne Clear are held to a higher professional standard than non-Clear Finders.

If a disagreement occurs, please use the proper communication channels and report any incidents to HackerOne-CodeofConduct@hackerone.com

Satisfactory Performance

In order to remain a member of HackerOne Clear, Clear Finders must maintain acceptable levels of performance including activity, reputation, signal and impact. These guidelines are outlined in {link doc}

Failure to do may render you ineligible to continue participating in HackerOne Clear Programs and/or impact specific tier eligibility.

 

General Provisions

If any of the provisions of these Rules of Engagement are held invalid or unenforceable by a court or other legal proceeding, the remaining terms will remain in full force and effect, and the provision affected will be construed so as to be enforceable to the maximum extent permissible by law. These HackerOne Clear RoEs, together with the Finder Terms and conditions, constitute the complete and exclusive understanding and agreement between us with respect to your participation in HackerOne Clear Programs, and supersedes all prior understandings and agreements, whether written or oral, with respect HackerOne Clear Programs.If there is any conflict between the Finder Terms and Conditions and these HackerOne Clear RoEs, these HackerOne Clear RoEs will control. Any waiver, modification or amendment of any provision of these HackerOne Clear RoEs will be effective only if in writing and signed by HackerOne. These HackerOne Clear RoEs may be executed in counterparts, each of which will be deemed an original, and all of which together will constitute one and the same instrument, and may be executed digitally through digital signature or online acceptance. The exchange of a fully executed document (in counterparts or otherwise) by facsimile signature or by other electronic means, such as by portable document format (.pdf) file, shall be sufficient to bind you to these terms.

Definitions

Finders:

This refers to the individual bug hunter or pentester that is performing security testing and reporting vulnerabilities on HackerOne’s platform.

Report Details:

Data in a report that includes payloads, custom built modules/tools, custom built scripts, or anything that could be considered unique or proprietary to the program or the report itself.

 

Investigation and Enforcement

If a complaint is received from a customer, team member, another Finder, or if HackerOne observes something that appears to violate the Code of Conduct and/or these RoEs HackerOne will in all cases:

  • Assume good intent: HackerOne trusts that hackers will want to do the right thing.
  • Investigate fully so HackerOne understands what did (and did not) happen. HackerOne will speak to all parties involved, where appropriate, and attempt to provide a neutral viewpoint.
  • Repercussions: If HackerOne determines the Finder has violated the Code of Conduct and/or these RoEs, there will be disciplinary actions depending on the severity and HackerOne’s assessment of intent. Repercussions could include, depending on severity, temporary bans and permanent bans from HackerOne Clear, HackerOne Clear programs and/or the platform.

In general, HackerOne will seek to enforce these rules of engagement in accordance with the action guidelines below.

HackerOne Rules of Engagement

Please note, however, that HackerOne reserves the right to escalate the severity of enforcement and sanctions in accordance with the nature of the offense and irrespective of previous offenses. Depending upon the severity of the offense, sanctions may include, without limitation, longer temporary bans, immediate removal from HackerOne Clear and HackerOne Clear Programs and/or a permanent ban from the HackerOne Platform.