Join the world's largest hacking community
Get rewarded for hacking.
Companies and organizations on our platform want to hear from you about security vulnerabilities they might have overlooked across their websites, APIs, mobile apps, hardware devices, and an increasingly diverse and vast array of attack surfaces. HackerOne community members have the opportunity to hack on some of the most challenging and rewarding engagements. Hackers have earned more than $100 million in rewards for their efforts.
Learn how to hack on Hacker101.
Hacker101 is a free class on web security. Whether you're a programmer with an interest in bug bounties or a seasoned security professional, Hacker101 has something to teach you. Learn to hack with our free video lessons, guides, and resources and put your skills into practice with Capture the Flag (CTF) levels inspired by real-world vulnerabilities. Join the Discord community and chat with thousands of other learners.
Get your free Burp Suite Pro license.
We’ve teamed up with Burp Suite to offer promising ethical hackers the full capabilities that Burp Suite Pro offers. When you reach at least a 500 reputation and maintain a positive signal, you are eligible for 3 months free of Burp Suite Professional, the premier offensive hacking solution.
Collaborate with other hackers.
Why hack alone when you can work as a team and earn more cash? Easily collaborate on reports to share bounties while learning and earning together.
View real-time results and recent report submissions on Hacktivity.
Compete and collaborate with other hackers, gaining status and reputation points. Get rewarded for consistently submitting valid vulnerability reports, discovering impactful bugs, and professionally documenting your findings. Unlock private bug bounty program invitations, exclusive targets, and opportunities to learn and earn with other hackers.
Live hacking events
We host virtual and in-person live hacking events (LHEs) throughout the year. From destination hacking in cities around the world to unique online hacking experiences, LHEs are a must-experience perk for top hackers. Earn bonus rewards, new scopes, bounty multipliers, and custom swag, plus collaborate and network with other top hackers, security teams, and HackerOne staff.
Use your skills to help make a safer Internet.
Sign-up for an account. You will need a name, username, and a valid email address. You can remain anonymous with a pseudonym, but if you are awarded a bounty you will need to provide your identity to HackerOne. Be sure to take a look at our Disclosure Guidelines which outline the basic expectations that both security teams and hackers agree to when joining HackerOne.
Find a participating program. Read the Security Page closely, which will give you the information you need to participate in the program, including the scope of the program and reward expectations. Programs can offer thanks, swag, and/or bounties for valid reports; every program is different and it’s at the discretion of the program what sort of reward they offer, so be sure to check that out before you submit a report. Start hacking and submitting reports. Your reports should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept (POC). If you don't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone. If you’re not sure what a good report looks like, here are some tips.
Congrats on finding a security vulnerability, that’s exciting! You can use the HackerOne Directory to find the appropriate method to contact the organization. Some companies prefer you reach out to them through HackerOne, some through email. All the information is on their profile. Just search for their company name and their preferred method will come up.
Here’s an example of a company who handles reports on HackerOne: https://hackerone.com/twitter
Here’s an example of an organization that prefers email: https://hackerone.com/ncsc
Before you submit a security vulnerability, make sure to read through the program’s scope. The scope determines whether or not a company is interested in a particular vulnerability. Once you have confirmed the program will accept the vulnerability, be sure to submit the issue to the program.
A good report is made up of a few things — a descriptive title, a thorough explanation and proof of concept, and metadata. @nahamsec wrote a great guide on how to write a good report. You can read it here: https://docs.hackerone.com/programs/quality-reports.html.
As we recently surpassed $100 million dollars in bounties, we want to continue the celebration with this list of 100 tools and resources for hackers! These range from beginner to expert. Most are free but some cost money. Read all about them here.
A company will review the contents and triage the vulnerability. You can review the Response Efficiency metrics on a company’s policy page. This will help you determine how quickly a company responds, bounties and resolves the bug.
The hacker community is a group of tens of thousands of people that make the internet safer for everyone. A lot of us are learning new things every day. In order for us to excel and discover new techniques and entire vulnerability classes, we try to share as much information as possible. This is often done through blog posts, how tos, CTF challenges, public disclosure, or a simple tweet. This is one of the things that makes this such an amazing community!
Hacktivity is the front page of our community showcasing select activity regarding vulnerabilities (once disclosed), hackers, programs, and bounty awards. In this article, we'll answer the most frequently asked questions regarding Hacktivity.