Employee Participation Policy
HackerOne employees are given confidential access to customers’ program operation, scope, and communications, which could aid them in finding vulnerabilities. Since this information is unavailable to all Finders on the platform, this could create an unfair advantage when a HackerOne employee would like to participate as a Finder on a customer program.
This policy is intended to create a fair, straightforward way to enable employees to participate in programs without creating a conflict of interest.
The scope of this policy is all employees of HackerOne, and for the purposes of this policy, the term employee shall also include all Security Analysts of HackerOne, whether employees or contractors.
In order to participate in a program, all of the following criteria must be met:
- The Employee must not have had access to the program or been a member of the program team. If the Employee is a past member of a program team, there is a six (6) month cooldown period that begins after leaving the program before the Employee is eligible to participate.
- If given access to reports in the past, Employees cannot save or use report details from the program to aid them in finding vulnerabilities once they are eligible to participate.
- Employees cannot participate in programs in which they are the Account Executive, Program Manager, Security Analyst, or Technical Program Manager, even if they do not have access to reports submitted to the program.
- The Employee must not be a past or present employee or consultant of the customer in whose program they wish to participate, unless given explicit written approval by the customer.
- Employees are not allowed to use any knowledge of an upcoming program to provide themselves an unfair advantage. If an Employee is aware of an upcoming program that they will participate in, they are not allowed to conduct any testing or reconnaissance on that program until the program has officially launched, and only then if they are a whitelisted Finder on the program permitted to participate under this policy.
- Employee cannot be an immediate family member of anyone directly involved with the program in which they wish to participate.
- Example: HackerOne employee “Adam” wishes to join a program of Company XYZ. Adam cannot have an immediate family member who is associated with the security team or program at Company XYZ.
Additional criteria surrounding private programs:
- No private program can have more than 40% of its participants be HackerOne employees. This means that if there are 10 total Finders invited to a private program, no more than 4 can be HackerOne employees.
- Exceptions may be granted in certain circumstances where HackerOne employees are meant to be the only participants.
- If an employee’s personal account on the HackerOne Platform is added/invited to a customer’s program and the employee would be prohibited from participating in the program by this policy, the employee must not participate and must either decline the invitation or remove themselves from the program as soon as possible and in any event within three (3) days of receiving the invitation.
Eligibility will be determined by the primary HackerOne employee managing the program the employee wishes to be added to or the VP of Customer Success. Satisfaction of these requirements does not guarantee that the employee will be extended an invitation to participate. Failure to comply with the above criteria will result in disqualification from program invites for all current and future programs until further notice.
Below are examples of scenarios and what is allowed and not allowed. HackerOne employees are directed to ask their manager in advance if there are any questions or grey areas.
- NOT ALLOWED: Hacking on a program where the employee has accessed the inbox or worked directly with the customer (e.g., as a Technical Program Manager (TPM) or Security Analyst) in the last three (3) months.
- EXCEPTION: Once the employee has been removed from the program, and three (3) months have passed, the employee may resume activity on the program.
- NOT ALLOWED: Employee learns, from reading a report against Program A, about a vulnerability in a common framework (e.g., SQLi in Rails). Employee then uses that vulnerability to file a report against Program B.
- EXCEPTION: Once the vulnerability is made public -- i.e., the report is disclosed, the vulnerability is published, a CVE is made public, etc. -- it is acceptable to apply the learning. The information is now available for the general public, and the employee is not using inside information.
- NOT ALLOWED: Employee learns specific technical details not publicly known through reading the inbox or via meeting with the customer about their application. For example, employee learns that a customer uses a specific piece of software that the employee knows is vulnerable. If this information is not otherwise readily available to the public, the employee cannot use it to file their own reports.
The employee should, however, work through official channels with the customer (e.g., getting the Technical Program Manager or Program Manager involved and reaching out to the customer as an HackerOne employee and helping to educate the customer regarding the potential vulnerability).
- NOT ALLOWED: Employee discovers, in a private report, a specific payload, code, custom-built tool, etc., written to exploit a vulnerability. Said employee may not apply that payload or code to another program: since it is not public knowledge, the employee cannot take information from a report and use it in their own reports.
- EXCEPTION: As above, if the information is made public -- the report is disclosed, the code is published on GitHub or someone’s blog, etc. -- it is acceptable to use on other programs. The information is now available for the general public, and the employee is not using inside information.
- ALLOWED: Employee learns, from reading various reports, about a general technique and the employee then applies that technique to other programs. For example, if the employee never knew how to test mobile applications, and the employee learns some general techniques from reading reports, and then they can go test other mobile applications. The employee learned general techniques -- something anyone could have learned -- and then applied that knowledge.
6. Investigation Process
If a complaint is received or HackerOne receives something that appears to violate the policy,
HackerOne will in all cases:
- Assume good intent -- HackerOne trusts that employees will want to do the right thing, and will start from that perspective.
- Investigate fully so HackerOne understands what did (and did not) happen. The manager, along with other department leadership if needed, will talk to the employee, talk to the Finder, and/or to the customer if appropriate -- get all points of view.
- If HackerOne determines the employee has violated the policy, there will be disciplinary actions depending on the severity and HackerOne’s assessment of intent. Repercussions could include, depending on severity: a formal reprimand, forfeiting of bounties, temporary or permanent hacking bans, or, in extreme cases, termination of employment.
In the event that any employee believes that the requirements of this policy cannot be met or that an exception to the requirements of this policy is required, the employee shall document the issue and provide a description of the relevant requirement and justification for the exception. Any documentation and approval shall be maintained, and no exception shall be made or authorized unless approved in writing by the General Counsel.
Documentation of the request is critical to ensure HackerOne’s management fully understands the additional risk HackerOne must accept as a result of the exception, that alternatives to an exception are considered, and that compensating controls are deployed as part of the exception to the extent necessary.
This policy will be enforced by Customer Success. Violations of this policy may result in disciplinary action, up to and including termination of employment. To the extent that any violation of this policy results in a violation of applicable law, HackerOne may report such activities to the applicable authorities.
- Any full or part-time employee of HackerOne, including full or part-time Security Analysts, consultants, or advisors.
- An individual or entity using the HackerOne Platform to provide Vulnerability Reports.
- Report details
- Data in a report that includes payloads, custom built modules/tools, custom built scripts, or anything that could be considered unique or proprietary to the program or the report itself.
- Security Analyst
- A person focused on triaging and responding to incoming security vulnerability reports on the HackerOne Platform.