Skip to main content

Where's that Security@?

  • June 4th , 2015

All technology contains bugs. These bugs frequently have security implications that may be exploited by criminals, but are more often discovered by friendly parties — security researchers, academics, hackers, vendors, professionals, even law enforcement — who want nothing more than to see the flaw resolved safely. Due to this inescapable reality, it is critical that all organizations who build technology also have a safe process for vulnerability disclosure.

Unfortunately, many disclosure attempts from researchers continue to fall on deaf ears, and all Internet users are at increased risk as a result. This issue was recently highlighted in a letter to the Internet Policy Task Force:

Researchers who discover a serious security flaw in a piece of software or website should not have to spend hours or days searching for the contact information for the information security team at the company or organization responsible for the vulnerable code.


Providing security researchers with an easy way to report vulnerabilities is not just an industry best practice (ISO 29147, it is now a key component of what the Federal Trade Commission considers "reasonable and appropriate security."

We agree.

That's why we're launching the HackerOne Directory: a community-curated resource for identifying the best way to contact an organization's security team. Increasingly important, the Directory will also document the existence of the organization's responsible disclosure policy and any associated bug bounty programs.

HackerOne DirectoryImage: The HackerOne Directory


  • Share your disclosure experiences and add security team contact information to the Directory so others can benefit from your work.
  • When you need to contact a security team, search the Directory for their contact information.
  • If an organization hasn't published security contact information anywhere, we recommend considering assistance from your local CERT.


  • Publish contact information for receiving information about potential vulnerabilities in your products or online services, such as a security@ email address or a HackerOne program. See ISO 29147 for additional guidance or contact us.
  • Search the Directory for your organization to ensure that your security team's contact information and disclosure policy is accurate.

Empowering security researchers to perform their important work more efficiently is central to our mission, and we hope this Directory will prove to be a useful resource. Questions, complaints, or suggestions? All feedback is important to us and we'd welcome hearing from you.

Recent articles

Announcing The Largest DoD bug bounty challenge ever: Hack The Air Force

The Air Force is asking hackers to take their best shot following the success of Hack the Pentagon and Hack the…

Zero Daily Newsletter: Fun, yet informative, AppSec, bug bounty, and hacker news

Read the news every day, and check the usual websites? Want to get your industry news and have a little humor…

More Hardware, More Problems

Bounties are for hardware, too. Microwaves notwithstanding, there is an increasing amount of connected…