Code of Conduct
Platform interactions should be at all times respectful and communicated in a professional manner and tone with a view to being beneficial to the report validation process. Creating unnecessary noise, leaving rude comments, or spamming report comments for an update are some examples which can be considered unprofessional behavior. These actions decrease triage efficiency and are not beneficial to you as the Finder or the program.
Disclosure of any private program details including: program name, scope, vulnerability details, bounty structure, account information, or any other detail that could identify the details to anyone who is not a HackerOne employee or a member of that program may result in enforcement actions. When collaborating with other Finders on the same program, be sure to do so in a secure manner, in accordance with disclosure requirements listed in this CoC.
Only use approved communication channels. Unless the program has intentionally provided a contact method to the Finder, contacting security teams “out-of-band” is a violation of this CoC. Approved communication channels will be outlined within the program policy page or otherwise notified by the customer, should nothing be specifically mentioned, all Finders must assume that the HackerOne platform is the only approved channel.
Finders must not perform unsafe testing without prior authorization. This includes (but is not limited to): out-of-scoping testing, exploiting a vulnerability beyond what is necessary to show impact (i.e. accessing customer internal information, dumping a database, etc.), gaining access to and using accounts or production credentials not approved per the program's policy, altering production or database information or causing a Denial of Service, or otherwise impacting the stability of customer systems outside of posted testing policies.
HackerOne does not tolerate any discrimination based on age, ethnicity, level of experience, nationality, personal appearance, race, religion, sexual or gender identity and orientation, physical appearance, political beliefs, or other protected classes.
Hate speech, profanity, or any aggressive threats in report comments, support tickets, or other communication methods will not be tolerated in any form. Violating this guideline includes posts on social media and other platforms. If it is confirmed that a Finder account is tied to actions which amount to a breach(es) of our CoC, enforcement action may be taken.
Duplicate account abuse: Any case where multiple HackerOne user accounts are used to circumvent a sanction against a user account, or to create an unfair advantage on the platform.
Reputation farming: Any activity that creates an unfair gain in reputation. This includes sharing account access and submitting the work of other Hackers, and also encompasses cases where Finders may attempt to social engineer HackerOne staff into assisting with the launch of an illegitimate program.
Any unauthorized use of intellectual property (including but not limited to) the unauthorized use of other Finders work, will not be tolerated.
Disclosing report information without previous authorization is not permitted. This encompasses social media, blog posts and any other disclosure methods. This category also includes threats of disclosure. Enforcement actions will be escalated based on severity, means, and sensitivity of the disclosure.
Any attempt to obtain bounties, money or services by coercion is not permitted and may amount to a criminal offense.
Any unauthorized attempts to socially engineer another party through impersonation of a HackerOne employee, another Finder, a program member or a security team will not be tolerated.
Finders are solely responsible for the tools that they use. These tools must be lawful and legally acquired. H1 will not tolerate the use of illegal software, if such use is discovered, enforcement action may be taken.
“Confidential Information”: means any information made available through the HackerOne platform or programs, including but not limited to vulnerability information, confidential information and know-how (including but not limited to ideas, formulae, compositions, processes, procedures and techniques, research and development information, computer program code, performance specifications, support documentation, drawings, specifications, designs, business and marketing plans, and customer and supplier lists and related information.
“Finder” means an individual or entity using the HackerOne Platform to provide Finder Submissions.
“Finder Submission” means documents and related materials evidencing a Finder’s activities related to a program, including,but not limited to, vulnerability reports.
“The Mediation Team”: is a cross-functional group of stakeholders led by senior HackerOne Support staff.
“Personal Data”: is information that relates to an identified or identifiable individual. If it is possible to identify an individual directly from the information you are processing, then that information may be Personal Data.
Examples of Personal Data (not exhaustive)
- A person’s name;
- IP address;
- Cookie Identifier;
- Email addresses;
- Telephone numbers;
- Physical addresses;
- Date of birth;
- Health history;
- Sexual Orientation; and/or
- Financial information: e.g. Banking information – credit card numbers, account numbers, sort codes
The HackerOne Finder Code of Conduct is enforced in accordance with the action guidelines below.
Please note that HackerOne reserves the right to escalate the severity of enforcement and sanctions in accordance with the nature of the offense and irrespective of previous offenses. Depending upon the severity of the offense, sanctions may include, without limitation, longer temporary bans, immediate removal from HackerOne Clear and HackerOne Clear Programs and/or a permanent ban from the HackerOne Platform.
|Incident||First Offense||Second Offense||Third Offense||Fourth Offense||Fifth Offense|
|Unprofessional Behavior||Warning||Second Warning||Final Warning||Temporary Ban (2-4 weeks)||Permanent Ban|
|Discussing Private Program Details||Warning||Second Warning||Final Warning||Temporary Ban (2-4 weeks)||Permanent Ban|
|Discussing report Info or PII Without Approval||Final Warning / Program Ban||Temporary Ban (2-4 Weeks)||Temporary Ban (3 months)||Permanent Ban|
|Contacting the Security team out-of-band||Final Warning / Program Ban||Temporary Ban (2-4 Weeks)||Temporary Ban (3 months)||Permanent Ban|
|Service Degradation / Unsafe Testing||Final Warning / Program Ban||Temporary Ban (2-4 Weeks)||Temporary Ban (3 months)||Permanent Ban|
|Abusive language or harassment||Final Warning / Program Ban||Temporary Ban (2-4 Weeks)||Temporary Ban (3 months)||Permanent Ban|
|Reputation Farming||Final Warning / Program Ban*||Temporary Ban (2-4 Weeks)||Permanent Ban|
|Extortion and Blackmail||Permanent Ban|
|Unauthorized impersonation / Social Engineering||Permanent Ban|
Statutory timeline of warnings: When a warning is issued in accordance with this Code of Conduct, HackerOne considers that warning to be applicable for 12 months. Warnings which are over 12 months old expire and are not typically assessed when reviewing the severity of new warnings.
See something, say something: If you see another Finder violating these rules, please reach out to our team at “email@example.com” or if you are needing help on a report of your own, you can request mediation directly in the platform on the report in question.