HackerOne Community Edition
Security testing that matches your priorities and needs.
Hacker-Powered Security for the Open Source Community
Open source software powers HackerOne. It powers our software, our infrastructure, and our model for engaging with our community. As part of our mission to make the internet safer, we want to make it easier for your open source project to remain secure.
As such, we offer a version of our popular HackerOne Bounty program for free to eligible open source projects. Use HackerOne to coordinate vulnerability reports, pay out bug bounties, and more.
Security by the Community, for the Community
HackerOne Community Edition gives you access to the most trusted hacker-powered security platform. With HackerOne, your contributors, users, and hackers will have a safe, place to submit vulnerability reports, making it easier for you to keep your project secure.
Features
Your Security Page declares your project's vulnerability coordination policy to hackers.
Each hacker's historic performance on the platform. Helpful for building community.
Start by inviting a few trusted hackers in a private program by reputation or username.
Integrated tools for discussing submitted vulnerabilities from your community.
Utilize our API to sync your data with your internal data analytics tool.
Query more advanced metrics to track metrics measuring your program's ROI.
Intelligent Pattern matching finds common issues and identifies duplicate reports.
Entirely free for eligible open source projects*.
* Free HackerOne Enterprise subscription. If you pay out cash bounties, HackerOne will charge a 5% payment processing fee.
Trusted By
Requirements
- Open Source Projects
Projects in scope must only be Open Source projects that are covered by an OSI license. - Be Ready
Projects must be active and at least 3 months old (age is defined by shipped releases/code contributions). - Create a Policy
You add a SECURITY.md in your project root that provides details for how to submit vulnerabilities (example). - Advertise Your Program
Display a link to your HackerOne profile from either the primary or secondary navigation on your project’s website. - Be Active
You maintain an initial response to new reports of less than a week.
Community Edition Application
To apply, submit the form below and include the name of your project, your project website, and share some details about why you would like to receive HackerOne Community. Please note: all approvals at the discretion of HackerOne and decisions are final.
FAQ
We will provide the platform for free as long as your project is actively using it and maintaining the 1-week response time requirement. If you stop using the platform or stop being responsive, we may revoke this offer.
No. HackerOne’s Community Edition is entirely free for your project to use.
The primary difference is that with HackerOne’s paid product offerings, we provide dedicated customer support and program assistance. While we provide basic support (primarily around setup/configuration), paid support is not included with HackerOne’s Community Edition.
No.
If your project’s SSO provider supports SAML 2.0, it can be easily used for authentication.
HackerOne allows you to export your data anytime you want. Your data belongs to you, and you can take it with you.
Most reviews are completed within 1 business week.
Our primary goal is to ensure that we are providing HackerOne's Community Edition for projects that are (a) genuinely Open Source, (b) are non-commercial, (c) will be able to run an effective security program, and (d) will utilize it as intended.
It depends. If the application is for the betterment of the Open Source project and will be operated and run to serve that project, the application will likely be accepted. If a company is applying to save on the costs of buying HackerOne's paid product offerings, we probably won't accept it.
All applications will receive a response from us, and you are welcome to respond to that email — there will be a human behind it who can respond to your specific queries. Please note though, all decisions are final and are at the discretion of HackerOne. If, however, you feel you were rejected in error, please drop us a line.
We have a library of useful support resources at https://docs.hackerone.com.
We support a number of different integrations, and we're always adding new ones regularly.
No, you can simply use HackerOne's Community Edition for vulnerability submission and coordination. Paying hackers for bounties is an option.
You can either attach a credit card to your account or send HackerOne money as a prepayment for any bounties, and we will 'credit' the program for that amount. This provides a great way to reward hackers financially for approved and validated reports.
The 5% payment processing fee (greatly reduced for Community Edition programs) goes towards compliance checks, payment fulfillment, and year end 1099. This fee is on top of the bounty you award to Hackers. For example, if you decide to award a $1,000 bounty, the total cost to you will be $1,050, with $1,000 going to the hacker and $50 to HackerOne.