Employee Participation Policy

1. Overview

A limited cohort of HackerOne team members are given access to sensitive confidential customer information in order to perform the necessary functions of their role.  This customer data includes customer vulnerability information, program operations, scope, and other sensitive communications.  HackerOne team members with access to vulnerability data may independently engage in ethical security research on their own personal time, but must strictly follow this policy to prevent any conflict of interest or misuse of confidential information. This Team Member Security Research and Pentest Policy outlines HackerOne’s expectations regarding outside security research or penetration testing by team members.   

2. Purpose

The Team Member Security Research and Pentest Policy is intended to demonstrate HackerOne’s commitment to (1) protecting customer and company data, (2) maintaining transparency and integrity at all levels of the company’s operations, and (3) ensuring fairness and ethical behavior in the security research and pentesting community.  HackerOne understands the value independent security research brings to the public and how it contributes to our mission to make the Internet a safer place.  HackerOne supports team members in developing their security research skills and encourages team members to participate in independent security research responsibly.  However, independent security research and pentesting are considered outside work, and HackerOne’s Business & Ethics Code of Conduct and Team Member Handbook require all outside work by team members to be reviewed for potential conflicts of interest

3. Scope

The scope of this policy is all employees, contingent workers, vendors, and contractors of HackerOne who have access to confidential information and engage in independent security research, pentesting, or ethical hacking in their personal time (i.e., outside their capacity as a HackerOne team member). This policy also sets forth expectations for team members that have family members or household members that engage in independent security research or pentesting.

4. Policy

Default to Disclosure

HackerOne takes pride in our team members’ expertise and commitment to ethical security research, and this policy is not intended to prohibit or deter individuals from engaging in independent security research or pentesting either on HackerOne or on other platforms. However, HackerOne’s commitment to upholding the highest levels of integrity and ethical standards require participation in such activities to align with existing policies around conflicts of interest and appropriate handling of confidential information. 

To ensure HackerOne can appropriately evaluate and remediate any potential conflict of interest, all team members that engage in independent security research or penetration testing, whether on HackerOne or on other programs or platforms, must disclose their hacker handles and all HackerOne programs on which they are actively engaging or anticipate engaging in by completing the disclosure form here.  Team members may not continue to perform security research or pentesting on HackerOne programs that have not been appropriately disclosed.  While working at HackerOne, team members are responsible for modifying their response to their disclosure form and obtaining written approval if the scope, number, or nature of the outside security research/pentesting changes. Prior to participating in a new HackerOne program or pentest engagement, the team member must first consult with and obtain approval from their manager prior to submitting the disclosure form. 

Team members must also disclose in the form, to the extent they know, whether a family member or household member is engaged in security research/pentesting on the HackerOne platform so that HackerOne can appropriately assess any actual or potential conflicts of interest. A “family member” includes relatives by blood, marriage/civil partnership, or other legally recognized relationship. A “household member” is any individual that lives in the same residence as the team member. 

Again, this policy is not intended to deter or discourage team members from contributing to HackerOne’s mission to make the Internet a safe place by engaging in independent security research or penetration testing. HackerOne will not unreasonably withhold approval of a team member’s request to participate in security research and pentesting programs, provided the team member fully and accurately disclose the scope of their outside work so HackerOne can assess and remediate any potential conflicts. Failure to disclose or disclosing in a manner that is incomplete or inaccurate will be considered a violation of this policy and HackerOne’s Code of Conduct and Team Member handbook policies relating to conflicts of interest.  

Participation Terms

In evaluating a team member’s request to engage in outside security research/pentesting, the following will be considered (although this is not an exhaustive list): 

 

  1. Team members cannot engage in security research/pentesting on any program that they currently have access to or have had access to in the past 6 months (including participation at live-hacking events).  If, in your role as a HackerOne team member, you are required to interact with a report that you have submitted, you must inform your manager and refrain from accessing or taking any action on the report.
  2. Team members cannot participate in programs in which they are a customer-facing point of contact, even if they do not have access to vulnerability reports submitted to that customer’s program(s), unless HackerOne and the customer have approved in writing.
  3. Team members cannot have been a past or present employee or consultant of the customer in whose program they wish to participate, unless the customer has approved in writing.
  4. Team members engaging in security research on the HackerOne platform must inform their manager and disclose that they are a HackerOne team member if they escalate a submitted report to mediation. Any mediation of the HackerOne team member’s report will involve an additional level of review to ensure impartiality.
  5. All communication regarding vulnerability submissions, mediation, or any activity done in your capacity as an independent security researcher or pentester must be done through the platform and in a manner consistent with and expected of all other HackerOne Community Members.
  6. Team members may not use HackerOne-provided handles or email addresses associated with company-provided handles in personal security research testing, research submissions, or penetration testing.
  7. Team members are not eligible to receive bounties for reports submitted to HackerOne’s own program. Team members wishing to submit a vulnerability report to HackerOne’s own program must do so through their company-provided account associated with their HackerOne email address.
  8. Team members that hack on the HackerOne platform must also comply with HackerOne’s Terms of Service and the Hacker Code of Conduct. Team members that participate in security research or pentesting on other platforms are expected to adhere to those platforms’ legal terms of service. 

 

In addition to the above conditions, team members are subject to other requirements in their role, discussed below, to ensure no conflicts of interest or misuse of confidential information. Deviation from the above framework requires written approval from HackerOne’s legal team, and, as appropriate, the customer. 

Conflicts of Interest

Any team member with access to customer program information, including vulnerability information, as part of their role must adhere to the following rules:

  1. Team members that review and interact with vulnerability reports, tickets, etc. in their role (e.g., Triage, Mediation, Community, Customer Success, Engineering, Support, and any team with program access or vulnerability report, ticket, etc. access) are not permitted to use HackerOne internal systems and accesses to review or interact with reports, tickets, etc. they have submitted on the HackerOne platform.
  2. Team members that review and interact with vulnerability reports, tickets, etc. in their role are not permitted to use HackerOne internal systems and accesses to review or interact with reports, tickets, etc. submitted by a family member, household member, or any individual with whom they have a personal relationship.  If the team member’s role would require review or access of reports, tickets, etc. that are submitted by such an individual (e.g., family member participating at a live-hacking event), HackerOne may temporarily transfer the team member, temporarily alter job duties, or take other reasonable actions to resolve any potential conflict of interest.
  3. Team members that review and interact with vulnerability reports, tickets, etc. in their role are not permitted to treat submissions from a HackerOne team member (or any community member with whom the team member has a personal or professional relationship) more or less favorably than submissions by any other community member. 
  4. Team members must not attempt to influence or discuss handling of vulnerability reports, tickets, etc. they have submitted with other HackerOne team members. Team members are prohibited from engaging in adverse action towards other HackerOne team members for any reason related to the handling, evaluation, or determination of their vulnerability report submission, ticket, etc. All communication regarding a submission, mediation, or any other activity related to independent security research and/or pentesting must be done via the HackerOne platform.
  5. If a team member’s personal account on the HackerOne platform is added/invited to a customer’s program and the team member would be prohibited from participating in the program by this policy, the team member must notify their manager and not participate and must either decline the invitation or remove themselves from the program as soon as possible and in any event within three (3) days of receiving the invitation.  If the team member’s participation in a customer program predates their tenure at HackerOne, the team member must notify their manager and remove themselves from the program.
  6. Team members are prohibited from using confidential information, including vulnerability reports, learned in the course of their work at HackerOne in any outside work or research, including submitting vulnerabilities to programs and platforms outside of HackerOne.
  7. No private program can have more than 20% of its participants be HackerOne team members. This means that if there are 10 total security researchers invited to a private program, no more than 2 can be HackerOne team members.

Confidential Information

HackerOne is committed to safeguarding confidential information, including confidential information entrusted to us by the company’s customers and community members. All team members agree to confidentiality provisions upon hire, which include prohibitions on misuse or unauthorized disclosure of confidential information. For team members with access to vulnerability reports or customer programs, these obligations include (but are not limited to) the following: 

  1. Team members are prohibited from viewing, saving, screenshotting, or using vulnerability reports or customer program information in any personal security research or vulnerability submissions (whether on HackerOne or on other programs or platforms).
  2. Team members must not use any knowledge of an upcoming program or event gained by virtue of their role at HackerOne to give themselves an unfair advantage (e.g., testing or reconnaissance on a program’s event prior to any public announcement).
  3. Team members may use vulnerability reports and any information contained in the reports in their personal security research only if and only to the extent that the report has been publicly disclosed with the consent of the security researcher and the customer through HackerOne’s Coordinated Vulnerability Disclosure or other official HackerOne public disclosure process.
  4. Team members should not distribute customer program or vulnerability information to other team members in the company or view or access vulnerability reports, unless there is a legitimate HackerOne business reason to do so.
  5. Team members are prohibited from sending customer program or vulnerability information externally, including to the team member’s personal email or personal devices (including mobile phones, laptops, tablets).
  6. Team members must ensure that confidential information is shared and stored securely. Team members must not view this information or leave HackerOne equipment in a place where others may potentially view and/or access the information.
  7. If any team member is unsure whether information they have come across in their role at HackerOne can be used in their personal security research (or for any other outside work or personal reasons), they must reach out to the HackerOne Legal team for written approval prior to using the underlying information. 

5. Examples

Below are examples of scenarios and what is allowed and not allowed. HackerOne team members are directed to ask the Director of Support & Mediation or a member of the Legal team in advance if there are any questions or grey areas.

  • NOT ALLOWED: Hacking on a program where the team member has accessed the Triage inbox or worked directly with the customer (e.g., as a Technical Program Manager (TPM) or Security Analyst) prior to 6 months from the date they last had Triage inbox access or direct communication with the customer.
    • ALLOWED: Once the team member has been removed from the program, six months have passed, and the team member has sought and obtained written approval from the team member’s director to engage in security research on the customer program, the team member may engage in security research on the program.
  • NOT ALLOWED: Team member learns, from reading a report submitted to Program A, about a vulnerability in a common framework (e.g., SQLi in Rails). Team member then uses that vulnerability to file a vulnerability report with Program B.
    • ALLOWED: If, and only if the vulnerability has been made public through HackerOne’s Coordinated Vulnerability Disclosure or another formal HackerOne process approved for public disclosure, it is acceptable to apply the information in the report only to the extent that information or portion of the report has been disclosed to the public. In such a case, the information is now equally available to the general public, and the team member is not using confidential information.
  • NOT ALLOWED: Team member learns specific technical details not publicly known through reading information, such as vulnerability reports disclosed to a customer or via meeting with the customer about their application, and uses that information in their personal security research. If this information is not otherwise fully available to the public, the team member cannot use it to file their own reports or for any other purpose not directly related to their role at HackerOne.
    The team member should, however, work through official channels with the customer (e.g., getting the Technical Program Manager or Program Manager involved and reaching out to the customer as a HackerOne team member to help educate the customer regarding the potential vulnerability).
  • NOT ALLOWED: Team member has been active in the security research community since before they worked at HackerOne. While working on a program, the team member sees a report submitted by a renowned security researcher and recognizes their handle. The team member admires the security researcher and is curious about what they found. They click on the report to learn more. This is not permitted. The team member does not have a legitimate work-related business reason for viewing the report. 

6. Reporting Concerns

Any HackerOne team member, customer, security researcher, vendor, or member of the public suspecting potential violation of this policy should report their concerns through HackerOne’s Ethics Reporting Form (which includes an option to report anonymously). HackerOne will investigate any such report and will take appropriate corrective action.  Violation of this policy may result in appropriate discipline up to, and including, termination, in addition to a permanent ban on the team member’s personal HackerOne user account. 

7. Exceptions

In the event that any team member believes that the requirements of this policy cannot be met or that an exception to the requirements of this policy is required, the team member shall document the issue and provide a description of the relevant requirement and justification for the exception. Any documentation and approval shall be maintained, and no exception shall be made or authorized unless approved in writing by the Chief Legal Officer.

Documentation of the request is critical to ensure HackerOne’s management fully understands the additional risk HackerOne must accept as a result of the exception, that alternatives to an exception are considered, and that compensating controls are deployed as part of the exception to the extent necessary.

8. Enforcement

This policy will be enforced by the HackerOne Legal team and the People, Compliance, and Legal teams. Violations of this policy may result in disciplinary action, up to and including termination of employment. HackerOne may also take appropriate platform enforcement action on your personal HackerOne account. To the extent that any violation of this policy results in a violation of applicable law, HackerOne may report such activities to the applicable authorities.