HackerOne Policies Update
Introduction:
During November of this year, you may have noticed a new page on HackerOne: hackerone.com/policies. This page contains the Code of Conduct and other behavioral guidelines for using the HackerOne platform, and even includes a Frequently Asked Questions section. Please review these pages and ensure that you understand them fully.
The goal of the Code of Conduct is to help protect our hackers, our customers, and HackerOne employees.
While HackerOne has maintained and enforced a previous version of the Code of Conduct for many years, we had noticed that there were some misconceptions about the actions that would violate it. We believe that everyone should have a reasonable chance to learn from their mistakes and grow as individuals, so we’ve updated the policies to provide better guidance to our community, and to establish fair enforcement steps that can be expected for HackerOne to take when the Code of Conduct is broken.
How does this benefit hackers?
Adopting and enforcing a Code of Conduct can help to promote a positive atmosphere for everyone in our community and their interactions on the platform. It helps to set the expectation that this is a place of learning, professionalism, and mutual respect.
People from every background make use of HackerOne and we recognize that not everyone has the same experience with working together in professional settings. When dealing with security and risk, sometimes even a simple choice of the wrong word can lead to a big misunderstanding between parties that are simply trying to work toward the same goal - to empower the world to build a safer digital civilization. The Code of Conduct is intended to help our community understand where the line is and how to avoid crossing it. Establishing concrete enforcement guidelines helps to ensure that any violation of the Code of Conduct is treated fairly and consistently across all members of our community, and to allow for educational opportunities.
Building a strong relationship with programs can help hackers to move forward in their careers, whether as full-time bug bounty hunters, getting more out of a side hustle in bug bounty, or in their full-time role in security. The Code of Conduct gives hackers a chance to learn from certain mistakes and to improve their ability to work professionally in the future, and reinforces valuable soft skills that improve communication and interactions with security teams.
We are proud to say that hackers have been employed by companies who run programs on HackerOne, because hackers have been able to use their reports to showcase their talent, great communication skills, and professional approach. These hackers are great examples of what we want to achieve with our hacker community.
Additionally, we wanted to remove any negative connotation associated with the word “Hacker”. By maintaining a Code of Conduct, we provide examples of the behavior we expect our hackers to avoid. This helps all hackers have a better understanding of the ramifications from actions which break the Code, and helps the community to hold their peers accountable.
How does this benefit customers?
Customers expect professional and respectful interactions while working with hackers. The Code of Conduct provides specific guidelines to know what is acceptable in terms of communication and engagement with hackers.
If an individual seems hostile or unwelcoming, even if it’s just one person whose behavior is being tolerated, it can impact a program’s perception of the larger hacker community. An expected standard of behavior helps ensure that HackerOne can continue to connect world-class hackers with world-class programs.
It’s not always easy to adopt or enforce a Code of Conduct, but fostering a welcoming environment will help our community grow. Because of this, we have publicized an enforcement matrix that outlines the actions we’ll take against any violations to our Code of Conduct.
Take a Look!
We encourage you to read the full Code of Conduct here and if you have more questions, please don’t hesitate to read the Frequently Asked Questions. We also recommend reading all rules of engagement published in the policies page.
Why is it important to be in good standing with Code of Conduct?
Adhering to the Code of Conduct has a direct impact on several different aspects of the HackerOne platform, including but not limited to program or challenge invitations, live hacking event participation, HackerOne Clear, and consideration for other engagements like HackerOne Pentest or Ambassador consideration. Any violation of the Code of Conduct will have direct consequences that will affect the above items.
When considering hackers for many initiatives that HackerOne runs or supports, we will look at the historic behavior and Code of Conduct violations that may have occurred in the past before inviting participants.
The Code of Conduct was created to protect you! The more professional you are in your interactions and reports, the more likely you will be to build a positive relationship with program teams. Becoming a valuable partner in the bug remediation process can have incredibly positive effects on your success in the community as well as your professional career.
What happens if a hacker breaks a part of the CoC?
If a complaint is received from a program, team member, another hacker, or if HackerOne observes something that appears to violate the Code of Conduct and/or existent rules of engagement, HackerOne will in all cases:
- Assume Good Intent: HackerOne trusts that Hackers will want to do the right thing. Investigate fully so HackerOne understands what did (and did not) happen. HackerOne will speak to all parties involved, where appropriate, and attempt to provide a neutral viewpoint.
- Repercussions: If HackerOne determines the Hacker has violated the Code of Conduct and/or any Rules of Engagement, there will be disciplinary actions depending on the severity and HackerOne’s assessment of intent. Repercussions depend on the severity of the violation and can include temporary bans or permanent bans from HackerOne programs, HackerOne Clear and Clear programs, HackerOne Pentest and/or the platform.
- Statutory Timeline of Warnings: When a warning is issued in accordance with this Code of Conduct, HackerOne considers that warning to be applicable for 12 months. Warnings which are over 12 months old expire and are not typically assessed when reviewing the severity of new enforcement actions.
Remember!
The Code of Conduct was created to protect you, no matter which side of the HackerOne process you take part in. We want bug bounty to be a fun and rewarding experience for all involved, and we believe these policies can reinforce the positive and educational aspects of the platform. Let’s all support each other in doing the good work that can help to build a safer internet. Together we hit harder!
If you have any questions or feedback about these policies, please send us an email at support@hackerone.com!
The 8th Annual Hacker-Powered Security Report