an image of three HackerOne team members working together at their laptop

Frequently Asked Questions

If you have any questions about the code of conduct or any of these rules of engagement, please check the FAQ here. If your questions were not answered, please send them to h1-codeofconduct@hackerone.com

I contacted a customer via a forum or chat service that was intentionally created for customers and Hackers to talk, am I violating the Code of Conduct?

Nope! Contacting customers through authorized channels is not a violation of the Code of Conduct. However, contacting customers through direct messages on social media (such as Linkedin, Facebook, Twitter, etc), SMS, email, telephone, or by any other method without previous authorization from the party you are contacting, is a violation of HackerOne Code of Conduct.

The Code of Conduct says "No Intellectual Property theft.” How does HackerOne enforce that?

Many reports contain unique work that can be considered to be the reporting Hacker’s intellectual property. This is often the case when 0-day bugs are reported. We commit to reviewing cases that are escalated to us, and we will take appropriate action where intellectual property theft can be reasonably shown to have occurred. If you think that a Hacker is using research in an unauthorized manner, please contact us, and we will open an investigation.

I’m not sure I understand what Intellectual Property theft is or how that can happen on the platform. Could you provide some examples?

Intellectual Property is a broad term applied to intangible creations, such as patents, trademarks and copyright. When we say intellectual property theft in the context of our platform, we are talking about the unauthorised use of unique technical ideas created and owned by other Hackers. This could happen if any Hacker on the platform learns, by any means, specific technical details not publicly known and uses or shares these without authorization of the original Hacker. For example, a Hacker has access to a program hosted on HackerOne and receives a 0-day vulnerability in their inbox, learning how to reproduce the same vulnerability in other programs. If this information is not otherwise readily available to the public, the Hacker cannot use it to file their own reports.

If I am collaborating with another Hacker, and I’m sharing vulnerability/report information in order to work together to identify and escalate vulnerabilities while testing, am I violating the Code of Conduct where it says “Do not disclose vulnerability i

As long as both Hackers are invited to the same program or you are hacking on a public program, you are not in violation of the HackerOne Code of Conduct. However, if only one of the Hackers is invited to the private program, this Hacker must not share customer, scope or vulnerability information with Hackers that are not part of the private program. If you want to work with another Hacker who is not yet invited to the program, you should ask first (by contacting the TPM email on the program policy, or sending an email to support) and coordinate with them before you disclose the existence of the program to your possible collaborator.

Please refer to HackerOne’s Disclosure Guidelines for further information.

My report has been labeled as Informative or N/A. Can I make the report information public, or do a write-up about it without checking in with the program?

No. All reports must follow the disclosure guidelines of the program itself. If a program doesn’t have a clearly defined disclosure policy, then this means that the existing HackerOne platform policies still apply. To accept a private program invitation, all Hackers agree to never disclose any bugs that are submitted to that private program. If you cannot agree to never disclose, then do not accept the invitation and do not report to that program. This information is also noted on every private program invitation and Hackers agree to non-disclosure by default when accepting the invite.

By disclosing report information without authorization, even if the report is N/A or Informative or any other status, and even if you think there is a valid reason to disclose, you would still be in violation of the Code of Conduct. You must coordinate with the program for all disclosures. Disagreement with the rating your report has received is not a valid reason to violate the disclosure and other guidelines. This helps keep Hackers out of trouble, and helps HackerOne to continue supporting their unique and valuable work.

Please refer to HackerOne’s Disclosure Guidelines for further information.

I found a vulnerability that exposes Personally Identifiable Information (PII) or Personal Data, and I’m reporting the vulnerability to the customer, along with adding screenshots and other evidence about it. Am I in violation of the Code of Conduct guide

No. Please report any vulnerabilities that might disclose PII, as our customers will find that information important. However, PII must be handled extremely carefully. Many program policies will have express guidance on what to do if you do come across PII and in that instance please follow the program policy. In any event, please take care to ensure that you minimise the sharing of the PII, and we recommend that where possible the PII is not replicated. Instead, please do your best to redact any private information that might be sensitive and unnecessary to show the impact. You must only use HackerOne reports to upload any sensitive information. Please do not host videos or evidence of any kind on any third party hosting services.

Please refer to HackerOne’s Disclosure Guidelines for further information.

A Hacker is using abusive language, or engaging in other harassment, outside of the platform (e.g. social media, email, etc). Do you penalize Hackers for this?

HackerOne’s community extends beyond the reports that are hosted on our platform. We understand that we cannot track behavior on everyone’s social media profiles, but if something comes to our attention that violates our Code of Conduct, we will where necessary take action and apply appropriate penalties to the accounts of those Hackers. It is in the entire community’s best interest that Hackers refrain from use of abusive language, or other harassment, against each other. Everyone is here to learn and grow together.

I just found a data breach including customer data and credentials. Can I use those credentials to increase my scope and test for new vulnerabilities?

The short answer is “No.” You cannot use exposed production credentials or sensitive information to increase your scope, and you should avoid making use of any functionality that those credentials give access to. Testing with unreported credentials would be a violation of the Code of Conduct under “No unsafe testing / Service degradation.” Using those credentials may even trigger an incident response on the program side, if their systems flag your access or testing as an attack. This can lead to a lot of expensive work for the program, and can result in sanctions on your HackerOne account.

Having said that, you are welcome to report the data breach you found to the program, to see if they might be interested in learning about it. Just remember to always let the program review the credentials first, then ask the program if you can continue testing on the functionality that they give access to. Don’t test before you report the creds.

When I file a new report, I tell the Program how much money I want as reward for the vulnerability I’m reporting. Is that Ok?

It’s very easy to misunderstand statements such as “I found this bug, and I want $10,000 for it.” In extreme cases, statements of this nature can even be seen as blackmail or extortion. Programs expect that they will be able to set the award based upon the severity of the bug and the bounty tables on their program policy page, so we suggest reading those pages carefully before you report. Asking for a certain amount of money upfront can even imply that some sort of action will be taken by the Hacker if the bounty is lower than what the Hacker is asking for. Please avoid comments of this kind, to avoid making threats on accident. Bounty awards should always be rewarded according to the program’s bounty table. If the bounty is different than what is shown in the bounty table on the policy page, let HackerOne’s Mediation team know.

I am collaborating with another Hacker, and we share report templates and bug information, but we don’t use the “collaboration” feature on HackerOne’s platform. Is this a violation of the Code of Conduct?

This could be seen as sharing report information to third parties, which is a violation of the Code of Conduct, especially if you are hacking on a Private program and your collaborator is not invited to that program. We strongly suggest that every time you collaborate with someone, you make sure the other Hacker has access to the program you are collaborating on, and invite the other Hacker as collaborator to the report. This helps to keep everything transparent and avoids confusion.

What is hate speech?

According to the United Nations, the term hate speech is understood as any kind of communication in speech, writing or behaviour, that attacks or uses pejorative or discriminatory language with reference to a person or a group on the basis of who they are, in other words, based on their religion, ethnicity, nationality, race, colour, descent, gender or other identity factor. This is often rooted in, and generates intolerance and hatred and, in certain contexts, can be demeaning and divisive.