
Vulnerability Disclosure Guidelines
All technology contains bugs. If you've found a security vulnerability, we'd like to help out. By submitting a vulnerability to a program on HackerOne, or signing up as a Security Team, you acknowledge that you have read and agreed to these guidelines.
Vulnerability Disclosure Philosophy
Finders should...
- Respect the rules. Operate within the rules set forth by the Security Team, or speak up if in strong disagreement with the rules.
- Respect privacy. Make a good faith effort not to access or destroy another user's data.
- Be patient. Make a good faith effort to clarify and support their reports upon request.
- Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.
Security Teams should...
- Prioritize security. Make a good faith effort to resolve reported security issues in a prompt and transparent manner.
- Respect Finders. Give finders public recognition for their contributions.
- Reward research. Financially incentivize security research when appropriate.
- Do no harm. Not take unreasonable punitive actions against finders, like making legal threats or referring matters to law enforcement.
Contact
HackerOne is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at support@hackerone.com or follow us on Twitter @hacker0x01.
Changes to These Guidelines
We may revise these guidelines from time to time. The current version is 1.2, updated on July 29, 2019 will always be at https://www.hackerone.com/disclosure-guidelines. If we make changes that we believe will substantially alter your rights, we will email you and prominently display a notice on our site 7 days before we make those changes.