an image of three HackerOne team members working together at their laptop

Live Hacking Rules of Engagement

When we get together, awesome things happen because of the creativity, collaboration, and idea exchange you bring to the event. That is what makes events special!

This is a guide to ensure that this positive environment thrives at this event and everyone has an amazing time. "Together We Hit Harder" is more than a catch phrase, it means that collectively it's up to all of us to provide a welcoming and respectful community for everyone. Thank you for helping to make this a welcoming, friendly space for all!

Respect Confidentiality, Disclosure Guidelines and NDAs

Live Hacking Event participants must strictly comply with all confidentiality guidelines, requirements and obligations related to the HackerOne Programs in which they participate. These guidelines apply to vulnerability information, customer information, policy or scope details, bugs, account information, or any other Program-specific information.

If the sponsoring customer requires an additional NDA or other contractual agreement for your participation in a Live Hacking Event, it is fundamental to respect these signed documents and comply with their requirements. Disclosing information in violation of confidentiality guidelines and/or applicable NDAs/contracts is strictly prohibited. Failing to comply will be a breach of your obligations to the customer and could result in direct action against you.

You must adhere to HackerOne Disclosure Guidelines available at the Disclosure Guidelines for all live hacking events.

Recording of any aspect of the event, without explicit approval, is not permitted for live hacking events. Show & Tell in any capacity is strictly prohibited.

Social Media guidelines specific to the event will be outlined in event documentation and must be adhered to.

Only Use Approved Communication Channels

Slack, the HackerOne platform, customer calls, and in-person communication are all used during the course of live hacking events. Through all communication channels, you should be responsive, professional, and respectful to customers, each other and HackerOne teams.

Discussing the details of vulnerabilities outside of the official channels is insecure and can result in sanctions or penalties against your H1 account.

Be Professional

Collaboration is a key element of live hacking events.

You will be working with other hackers, customers and HackerOne staff from different backgrounds, locations, and cultures. Be respectful to your peers and expect them to be respectful in return. Be open minded and do your best to win as a team.

As a participant in the event, you are expected to participate in all aspects of the event including ancillary activities and actively participating in the event’s program.

If a disagreement occurs, please use the proper communication channels and report any incidents to HackerOne-CodeofConduct@hackerone.com

Follow Local Laws

Live Hacking Events occur globally. As a participant in the event, you must adhere to all local laws and location requirements while participating in the event. This includes travel, time at hotel, onsite at venues, and at any ancillary events.

Respect Live Hacking Event’s Special Rewards and Rules

Live Hacking Events have unique gamification elements: duplicate windows with special bounty splits, team collaboration and awards, challenges, qualifying CTFs and much more which could contain potential loopholes that could be exploited in ways that impede the spirit of the event. We require that you respect these benefits to continue to receive LHE invites.

There will be some situations in which you will know the targets for the live hacking event in advance of receiving the event invitation; in which you may elect to do pre-event recon for that program. We expect for you to be cognizant of traffic volume during the window. If you have access to the parent program, please review that policy and ensure you are following it for pre-event recon purposes. Failure to do so will result in a first warning. 

General Provisions

If any of the provisions of these Rules of Engagement are held invalid or unenforceable by a court, or other legal proceeding, the remaining terms will remain in full force and effect, and the provision affected will be construed so as to be enforceable to the maximum extent permissible by law. These HackerOne Live Event RoEs, together with the Finder Terms and conditions, constitute the complete and exclusive understanding and agreement between us with respect to your participation in HackerOne Live Event Programs, and supersedes all prior understandings and agreements, whether written or oral, with respect to HackerOne Live Event Programs. If there is any conflict between the Finder Terms and Conditions and these HackerOne Live Event RoEs, these HackerOne Live Event RoEs will control. Any waiver, modification or amendment of any provision of these HackerOne Clear RoEs will be effective only if in writing and signed by HackerOne. These HackerOne Live Event RoEs may be executed in counterparts, each of which will be deemed an original, and all of which together will constitute one and the same instrument, and may be executed digitally through digital signature or online acceptance. The exchange of a fully executed document (in counterparts or otherwise) by facsimile signature or by other electronic means, such as by portable document format (.pdf) file, shall be sufficient to bind you to these terms.

Definitions
Finders
This refers to the individual bug hunter that is performing security testing and reporting vulnerabilities on HackerOne’s platform.
Report details
Data in a report that includes payloads, custom built modules/tools, custom built scripts, or anything that could be considered unique or proprietary to the program or the report itself.

Investigation and Enforcement

If a complaint is received from a customer, team member, another Finder, or if HackerOne observes something that appears to violate the Code of Conduct and/or these RoEs, HackerOne will in all cases:

  • Assume good intent: HackerOne trusts that hackers will want to do the right thing
  • Investigate fully so HackerOne understands what did (and did not) happen. HackerOne will speak to all parties involved, where appropriate, and attempt to provide a neutral viewpoint.
  • Repercussions: If HackerOne determines the Finder has violated the Code of Conduct and/or these RoEs, there will be disciplinary actions depending on the severity and HackerOne’s assessment of intent. Repercussions could include, depending on severity, temporary bans and permanent bans from the event, future live hacking events and/or the platform.

In general, HackerOne will seek to enforce these rules of engagement in accordance with the action guidelines below.

IncidentFirst OffenseEscalated OffenseFurther Escalated Offense
Not Adhering to Live Event's Communication ChannelsSpecific Event Program Ban (1 - all Events)Live Events Temporary Ban (1 - 3 Events)Live Events Permanent Ban
Unprofessional Behavior: Exploiting Live Events Special Rewards and RulesSpecific Event Program BanLive Events Temporary Ban (1 - 3 Events)Live Events Permanent Ban
Inappropriate Interactions with Client's Security TeamSpecific Event Program BanLive Events Temporary Ban (1 - 3 Events)Live Events Permanent Ban
Abusive Language & HarassmentLive Events Temporary Ban (Time varies based on severity)Live Events Temporary Ban (Time varies based on severity)Live Events Permanent Ban
Breaking the Live Hacking Event's Confidentiality GuidelinesLive Events Temporary Ban (1 - 3 Events)Live Events Permanent Ban 
Violating NDALive Events Permanent Ban  
Not complying with regions local lawsLive Events Permanent Ban  
Extortion and BlackmailLive Events Permanent Ban  
Unauthorized Impersonation / Social EngineeringLive Events Permanent Ban  

Please note, however, that HackerOne reserves the right to escalate the severity of enforcement and sanctions in accordance with the nature of the offense and irrespective of previous offenses. Depending upon the severity of the offense, sanctions may include, without limitation, longer temporary bans, immediate removal from HackerOne Clear and HackerOne Clear Programs and/or a permanent ban from the HackerOne Platform.