Platform interactions should at all times be respectful and communicated in a professional manner and tone with a view to being beneficial to the report validation process. Please do not 

• Create unnecessary noise on reports by spamming report comments or circumventing the Mediation process by submitting multiple support tickets for updates
• Make rude, offensive, or inappropriate comments in vulnerability reports, support tickets, or other communications with HackerOne, customers, or Community Members
• Conduct yourself unprofessionally at Live Hacking Events or other in-person events where you are attending in your capacity as a Community Member
• Threaten disclosure in violation of customer program policy and/or HackerOne terms and conditions

These actions decrease triage efficiency, are not beneficial to Community members or customers, and are inconsistent with HackerOne’s platform standards and terms of use.

HackerOne does not tolerate any discrimination based on age, ethnicity, level of experience, nationality, personal appearance, race, religion, sexual or gender identity and orientation, physical appearance, political beliefs, or other protected classes. 

Hate speech, profanity, illegal or defamatory language, or any aggressive threats or abusive language in report comments, support tickets, or other communication methods (including related posts on social media and other platforms) will not be tolerated in any form. If it is confirmed that a Community Member account is tied to actions which amount to a breach of our CoC, enforcement action may be taken. 

Abusive behaviour is not tolerated in any form on the platform or at in-person events. Please note that any abusive behavior at Live Hacking Events or other in-person events where you are attending in your capacity as a Community member is a violation of our CoC and will lead to a ban from participation in future Live Hacking Events, in-person events, and other enforcement action on the HackerOne platform, up to and including permanent banning of your account.

Ethical Working Practices 

HackerOne is committed to ethical business partnerships and has a zero tolerance policy with respect to slavery, human trafficking, and forced or child labor. Community Members are strictly prohibited from using slavery, trafficked/forced labor, and/or child labor that violates applicable modern slavery or child labor protection laws in the provision of any security research, security testing, or any other work done in connection with the HackerOne platform. Where applicable, HackerOne reserves the right to inform relevant authorities as it deems necessary. 

Unlawful or obscene content 

Users are strictly prohibited from using the platform to post, create, share, upload, or make available any obscene, explicit, violent, or otherwise unlawful content (including images), including in any support tickets, in your submissions/vulnerability reports, or in any communications with HackerOne, customers, or Community Members. Any violation of this policy may result in the removal of the submitted content and suspension or termination of the associated account, at the sole discretion of HackerOne. Where applicable, HackerOne reserves the right to inform relevant authorities as it deems necessary.

Community Members must not perform testing which might be deemed "unsafe" without prior authorization from the Customer. If there is any uncertainty always ask for clarification from the Customer before engaging in the testing. This includes (but is not limited to): exploiting a vulnerability beyond what is necessary to show impact (i.e. accessing excessive amounts of customer internal information, dumping a database, etc.), gaining access to and using accounts or production credentials not approved per the program's policy, altering production or database information or causing a Denial of Service, impacting the stability of customer systems outside of posted testing policies, or otherwise conducting security research or submitting reports in violation of a program’s policies.

Hazardous testing—as outlined in HackerOne's Core Ineligible Findings —must never be attempted unless explicitly authorized by the program. This includes but is not limited to:

• Excessive traffic or request generation (e.g., DoS, DDoS)
• Testing that affects system availability
• Social engineering (e.g., phishing, opening support tickets)
• Noisy attacks that disrupt users or admins (e.g., notification or form spam)
• Physical security testing

If using Hackbots, please ensure that use is in alignment with the principles detailed here.

• By the Rules: Hackbots must operate within the published vulnerability disclosure policies of the program they're engaging with, along with HackerOne's Code of Conduct and Disclosure Guidelines.
• Human-in-the-Loop: Hackbots must not operate in a fully autonomous manner. We employ a “hacker-in-the-loop” model, requiring human experts to investigate, validate, and confirm all potential vulnerabilities before submitting to a Vulnerability Disclosure (VDP) or Bug Bounty Program (BBP).
• Bounty Eligible: Human operators of Hackbots qualify for any applicable bug bounty rewards, just as if the vulnerabilities were discovered through traditional means.
• Accountable: Hackbot operators are responsible for their Hackbots and must exercise due diligence to ensure compliance with platform rules and program policies.

Misuse of hackbots will result in potential sanctions against their hackbot operator.

Do not disclose publicly the existence of any private program on the HackerOne platform. These programs are designated private by the customer for a reason and must be treated as confidential. This includes program name, scope, vulnerability information, bounty structure, account information, or any other detail that could identify the program. Any disclosure to anyone who is not a HackerOne employee or a member of that program may result in enforcement actions. This includes verbally or in writing. Do not collaborate with other Community Members without the express permission of the private program.

Disclosing vulnerability information or report details without a clear, good faith effort to follow industry standard coordinated vulnerability disclosure practices is not acceptable and a violation of this CoC. Do not disclose vulnerability information without exhausting all good faith efforts to coordinate with the organization and/or program over a reasonable period of time. Confidential information or data belonging to HackerOne, the program, a program’s users or customers, or other Community Members must never be published without coordinating with the relevant customer, owner, and/or controller of the data. Improper disclosure includes social media, blog posts, verbally, press, forums, and other disclosure methods. When in doubt, communicate, communicate, communicate.

Third-Party Vulnerabilities 

Unless mentioned in the program policy, if you discover a vulnerability or widespread misconfiguration affecting a third-party component, we encourage you to notify the component owner before reporting elsewhere. Do not disclose unpatched details without coordination. If coordination stalls, Community Members should first contact HackerOne to collaborate or help coordinate, to the extent possible, on a responsible path forward. 

If you discover a vulnerability affecting a HackerOne customer, do not contact that customer’s customers, partners, or end users. All disclosure requests must go through the HackerOne platform to give affected parties time to triage and remediate responsibly.

Only use approved communication channels to discuss vulnerabilities submitted to HackerOne. Unless the program has explicitly provided an alternative contact method to you in their program policy, contacting security teams “out-of-band” about reports submitted on HackerOne is a violation of this CoC. The HackerOne platform is the only approved communication channel, except where approved alternative communication channels are outlined within the program policy page or otherwise notified in writing by the program. Unless otherwise specified in a program policy, communicate with the program on the report.

Duplicate account abuse: Any case where multiple HackerOne user accounts are used to circumvent a sanction against a user account, to mislead, to create an unfair advantage on the platform, or to otherwise engage in behavior that is inconsistent with this CoC or HackerOne’s terms and conditions. Community Members are permitted to have and use one sole account for the purpose of submitting vulnerability reports. This also encompasses cases where a Community Member uses multiple accounts to circumvent trial report restrictions. Community Members are prohibited from sharing, selling, trading, or giving away their account.

Reputation farming: Any activity that creates an unfair gain in reputation. This includes sharing account access and submitting the work of other Community Members, as well as inappropriate requests for closure status changes for the purpose of maintaining or improving reputation. This also encompasses cases where Community Members may attempt to social engineer HackerOne staff into assisting with the launch of an illegitimate program. Community Members are also prohibited from triaging and/or rating their own reports (to the extent a Community Member works on a HackerOne customer program).

What is Intellectual Property?

Intellectual property (IP) is a broad term that refers to the legal rights that protect original creations. There are many categories of intellectual property, some familiar terms might include copyright, trademarks, or patents. In the context of what Community Members do on the HackerOne Platform, this includes things like software, tools, documentation, exploit techniques, research reports, and branding. Importantly, this includes both your work and the work owned by others: HackerOne, Customers and other Community Members. Examples would include:

• Code you write for a PoC or automation script
• A tool you develop or customize for scanning or testing
• Research papers, write-ups, or blog posts
• Internal methods, systems, or source code of the Customer you're testing.

Who Owns What?

Our terms and conditions set out in some detail the use and licensing of intellectual property rights (IPR). However, in more simple terms, as a Community Member you own the tools, scripts, research, and original content you personally create, unless stated otherwise in a Program Policy or separate terms. HackerOne and/or our Customers own all our respective intellectual property such as proprietary systems, source code, confidential information and/or non-public data, you interact with during participating in a Program. This means that all Community Members own their own original tools, writeups, or methods—even if shared publicly or used as part of a community project.

What does a breach of IPR mean?

A breach of intellectual property rights is an expression to describe when intellectual property is used without the permission or licence of the owner. Examples of breaches of IP:

• Claiming credit for someone else’s vulnerability discovery or research
• Copy-pasting PoC code, scripts, or report content from another researcher without permission or attribution
• Using someone else’s tools or exploits in submissions without permission or acknowledgment, especially in BBPs or collaborative projects
• Forking or modifying someone’s open-source project and removing licensing or author attribution in violation of terms

Even if a Community Member shares work publicly, that doesn’t mean it’s free to take or rebrand. Always check licenses, give credit, and when in doubt—ask.

Why respecting IP matters?

Failure to use IP lawfully may result in legal disputes and

• Causes damage to the Community
• Protects your contributions, reputation, and future opportunities
• Encourages ethical collaboration and knowledge sharing
• Maintains fairness in Programs and the distribution of Rewards.

Do not attempt to, without written authorization, socially engineer another party through impersonation of a HackerOne employee, another Community Member, a program member, or a security team.

Community Members are solely responsible for the tools that they use, which must be lawful and legally acquired and permitted by the Program Policy. If it is brought to HackerOne’s attention that illegal or counterfeit software was used, HackerOne will be required to take appropriate action, including potential sanction under this Code of Conduct. Where applicable, HackerOne reserves the right to inform relevant authorities as is deemed necessary.

HackerOne has a zero tolerance for any behaviours that are related to or amount to extortion or blackmail. You must not attempt to obtain bounties, money or services by coercion. Any cases of extortion or blackmail may be escalated based on severity and may amount to a criminal offense. Where applicable, HackerOne reserves the right to inform relevant authorities as is deemed necessary.

Do not attempt to circumvent a program or platform ban by creating new accounts. Doing so will result in an immediate permanent platform ban of any newly created accounts.