Code of Conduct

By participating in programs on HackerOne, all Finders agree to help empower our community by following the HackerOne Code of Conduct (CoC). The CoC is in addition to the General Terms and Conditions and Finder Terms and Conditions that all Finders must agree to when creating an account.

This CoC sets out guidelines for engaging on the HackerOne platform and describes HackerOne’s potential actions if a violation occurs. A program may include additional rules of engagement or conduct in their program policy and may enforce those rules with program-level sanctions, so Finders should always review the program policy before engaging on a particular program.

Unprofessional Behavior

Platform interactions should at all times be respectful and communicated in a professional manner and tone with a view to being beneficial to the report validation process. Please do not 

Create unnecessary noise on reports by spamming report comments or submitting support tickets for updates 

Leave rude comments

Conduct yourself unprofessionally at Live Hacking Events or other in-person events where you are a representative of HackerOne

Threaten disclosure, in particular related to private programs

These actions decrease triage efficiency and are not beneficial to you as the Finder or the program

Abusive Conduct/Harassment

HackerOne does not tolerate any discrimination based on age, ethnicity, level of experience, nationality, personal appearance, race, religion, sexual or gender identity and orientation, physical appearance, political beliefs, or other protected classes.

Hate speech, profanity, or any aggressive threats or abusive language in report comments, support tickets, or other communication methods (including related posts on social media and other platforms) will not be tolerated in any form. If it is confirmed that a Community Member account is tied to actions which amount to a breach of our CoC, enforcement action may be taken.

HackerOne is committed to developing ethical business partnerships and has a zero tolerance policy with respect to slavery, human trafficking, and forced or child labor.  Community Members are prohibited from using slavery, trafficked/forced labor, or child labor that violates applicable child labor protection laws in the provision of any security research, security testing, or any other work done in connection with the HackerOne platform.

Abusive behavior at Live Hacking Events or other in-person events where you are a representative of HackerOne is a violation of our CoC and will lead to a ban from participation in future Live Hacking Events, and we may take additional enforcement action on the HackerOne platform.

Service Degradation/Unsafe Testing

Finders must not perform unsafe testing without prior authorization. This includes (but is not limited to): exploiting a vulnerability beyond what is necessary to show impact (i.e. accessing excessive amounts of customer internal information, dumping a database, etc.), gaining access to and using accounts or production credentials not approved per the program's policy, altering production or database information or causing a Denial of Service, or otherwise impacting the stability of customer systems outside of posted testing policies.

Unauthorized Disclosure - Private Programs

Do not expose the existence of a private program on the HackerOne platform. This includes program name, scope, vulnerability information, bounty structure, account information, or any other detail that could identify the program. Such exposure to anyone who is not a HackerOne employee or a member of that program may result in enforcement actions. This includes word of mouth. Do not collaborate with other Finders without the express permission of the private program.

Uncoordinated Vulnerability Disclosure - Public Programs

Disclosing vulnerability information without a clear, good faith effort to follow industry standard coordinated vulnerability disclosure practices is not acceptable. Do not disclose vulnerability information without exhausting all good faith efforts to coordinate with the organization and/or program over a reasonable period of time. Confidential information or data belonging to the program or their users should never be published without coordinating with the organization or program. This encompasses social media, blog posts, word of mouth, press, and other disclosure methods. When in doubt, communicate, communicate, communicate.

Contacting Program Team Out-of-Band

Only use approved communication channels to discuss vulnerabilities submitted to HackerOne. Unless the program has intentionally provided an alternative contact method to you in their program policy, contacting security teams “out-of-band” about reports submitted on HackerOne is a violation of this CoC. The HackerOne platform is the only approved communication channel, except where approved alternative communication channels are outlined within the program policy page or otherwise notified by the program.

Reputation Farming/Duplicate Account Abuse

Duplicate account abuse: Any case where multiple HackerOne user accounts are used to circumvent a sanction against a user account, or to create an unfair advantage on the platform.

Reputation farming: Any activity that creates an unfair gain in reputation. This includes sharing account access and submitting the work of other Hackers, as well as inappropriate requests for closure status changes for the purpose of maintaining reputation. This also encompasses cases where Finders may attempt to social engineer HackerOne staff into assisting with the launch of an illegitimate program.

Theft of Intellectual Property

Do not use intellectual property without prior authorization. This includes, but is not limited to the unauthorized use of other Finders work.

Social Engineering

Do not attempt to, without authorization, socially engineer another party through impersonation of a HackerOne employee, another Finder, a program member, or a security team.

Using illegal or counterfeit software

Finders are solely responsible for the tools that they use, which must be lawful and legally acquired. If it is brought to HackerOne’s attention that illegal or counterfeit software was used, HackerOne will be required to take appropriate action, including potential sanction under this Code of Conduct.

Extortion/Blackmail

Do not attempt to obtain bounties, money or services by coercion. Individual cases of extortion or blackmail may be escalated based on severity and may amount to a criminal offense.

Circumventing a Ban

Do not attempt to circumvent a program or platform ban by creating new accounts. Doing so will result in an immediate permanent platform ban.

Enforcement Actions

The HackerOne Finder Code of Conduct is enforced in accordance with the action guidelines below.

Please note that HackerOne reserves the right to escalate or de-escalate the severity of enforcement and sanctions in accordance with the nature of the offense and irrespective of previous offenses. Depending upon the severity of the offense, sanctions may include, without limitation, longer temporary bans, immediate removal from HackerOne Clear and HackerOne Clear Programs, exclusion from Live Hacking Events, and/or a permanent ban from the HackerOne Platform.

IncidentFirst OffenseSecond OffenseThird OffenseFourth OffenseFifth OffenseSixth Offense
Unprofessional BehaviorEducational1st Warning2nd WarningFinal WarningTemporary Ban (12 months)Permanent Platform Ban
Abusive Language/HarassmentFinal WarningTemporary Ban (12 months)Permanent Platform Ban
Service Degradation/Unsafe TestingEducational1st Warning2nd WarningFinal WarningTemporary Ban (12 months)Permanent Platform Ban
Unauthorized Disclosure: Private ProgramsFinal WarningPermanent Platform Ban
Uncoordinated Vulnerability DisclosureFinal WarningPermanent Platform Ban
Contacting Program Teams Out-of-Band1st Warning2nd WarningFinal WarningTemporary Ban (12 months)Permanent Platform Ban
Reputation Farming/Duplicate Account Abuse1st Warning2nd WarningFinal WarningTemporary Ban (12 months)Permanent Platform Ban
Extortion/BlackmailPermanent Platform Ban
Theft of Intellectual PropertyFinal WarningPermanent Platform Ban
Social EngineeringFinal WarningPermanent Platform Ban
Circumventing a BanPermanent Platform Ban

Timeline of warnings: When a warning is issued in accordance with this Code of Conduct, HackerOne considers that warning to be applicable for 12 months. Warnings which are over 12 months old expire and are not typically assessed when reviewing the severity of new warnings. Depending upon the severity of the offense, previous warnings may still be taken into consideration.

See something, say something: If you see a Finder violating these rules, request Mediation Assistance via the HackerOne Support Portal here. If you need help on a report of your own, you can request mediation directly from the report in question.

Note: HackerOne may update this Code of Conduct from time to time, based on industry standards and best practices. We will endeavor to provide notice of any such update. Enforcement actions are taken at HackerOne’s sole discretion. By participating on the HackerOne platform, you acknowledge and agree to this Code of Conduct in effect from time to time