We believe effective disclosure requires mutual respect and transparency between finders and security teams.
We are committed to protecting the interests of Finders. However, vulnerability disclosure is an inherently murky process. The more closely a Finder's behavior matches these guidelines, the more we'll be able to protect you if a difficult disclosure situation escalates.
Security Teams will publish a program policy designed to guide security research into a particular service or product. You should always carefully review this policy prior to submission as they will supercede these guidelines in the event of a conflict.
If you believe you have found a vulnerability, please submit a Report to the appropriate program on the HackerOne platform. The Report should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. If you don't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone.
The Report will be updated with significant events, including when the vulnerability has been validated, when more information is needed from you, or when you have qualified for a bounty.
The contents of the Report will be made available to the Security Team immediately, and will initially remain non-public to allow the Security Team sufficient time to publish a remediation. After the Report has been closed, Public disclosure may be requested by either the Finder or the Security Team.
You'll receive public recognition for your find if 1) you are the first person to file a Report for a particular vulnerability, 2) the vulnerability is confirmed to be a valid security issue, and 3) you have complied with these guidelines. If a Finder prefers to remain anonymous, we encourage them to submit under a pseudonym.
Some Security Teams may offer monetary rewards for vulnerability disclosure. Not all Security Teams offer monetary rewards, and the decision to grant a reward is entirely at their discretion. The amount of each bounty payment will be determined by the Security Team. Bounty payments are subject to the following eligibility requirements:
Security Team: A team of individuals who are responsible for addressing security issues found in a product or service. Depending on the circumstances, this might be a formal security team from an organization, a group of volunteers on an open source project, or an independent panel of volunteers (such as the Internet Bug Bounty).
Finder: Also known as hackers. Anyone who has investigated a potential security issue in some form of technology, including academic security researchers, software engineers, system administrators, and even casual technologists.
Report: A Finder's description of a potential security vulnerability in a particular product or service. On HackerOne, Reports always start out as non-public submissions to the appropriate Security Team.
Vulnerability: A software bug that would allow an attacker to perform an action in violation of an expressed security policy. A bug that enables escalated access or privilege is a vulnerability. Design flaws and failures to adhere to security best practices may qualify as vulnerabilities. Weaknesses exploited by viruses, malicious code, and social engineering are not considered vulnerabilities unless the Security Team says otherwise in the program's policy.
We may revise these guidelines from time to time. The most current version of the guidelines will always be at https://hackerone.com/disclosure-guidelines. If we make changes that we believe will substantially alter your rights, we will email you and prominently display a notice on our site 7 days before we make those changes.