HackerOne Supplier Code of Conduct

Last Updated: January 14, 2025

At HackerOne Inc., our mission is to build a safer internet. But we recognize that as a leader in our industry, we have an opportunity and a responsibility to help build a safer and more secure future for our world. One of the ways we are committed to these principles is by ensuring corporate ethics and integrity, responsible product sourcing, and the safety and well-being of workers across our global supply chain. This Supplier Code of Conduct establishes the minimum standards that must be met by any supplier that sells goods or otherwise does business with HackerOne. By submitting a proposal or entering into a contract with HackerOne, suppliers are certifying that they have read and understood this Supplier Code of Conduct and that they commit to and comply with these standards.

Our suppliers are responsible for ensuring that all of their workers (employees, temporary workers, agents, contractors, etc.) and any subcontractors or next-tier suppliers are informed of and agree to comply with this Supplier Code of Conduct or substantially similar terms.

This Supplier Code of Conduct does not create new or additional rights, or any additional HackerOne obligations, in favor of suppliers, supplier personnel, or any third parties. It is not intended to replace, supersede, or conflict with any applicable laws, regulations, or contractual obligations with HackerOne.

1. Ethics & Compliance in Business Operations

HackerOne is committed to conducting its business ethically and in compliance with all applicable laws–our suppliers’ commitment to the same is a requirement of doing business with HackerOne.

1.1 Anti-Bribery & Corruption

HackerOne has a zero-tolerance policy regarding bribery, corruption, kickbacks, extortion, and embezzlement. Suppliers must not offer, give, promise, authorize, or accept, directly or indirectly, any bribe, gift, loan, fee, reward, or other payments to any government official, government employee, customer, HackerOne team member, or any other person for the purpose of influencing, obtaining or retaining business, or acquiring an improper advantage. Suppliers must agree to keep accurate and complete records of their transactions related to all business involving HackerOne and must not falsify or conceal improper use of HackerOne funds. Suppliers must also agree to comply with all applicable domestic and international anti-corruption laws and regulations, including (but not limited to) the United States Foreign Corrupt Practices Act and the UK Bribery Act 2010.

This section does not prohibit normal, appropriate, and modest hospitality or gifts. However, it is important to keep in mind that gifts are subject to limits and disclosure requirements and must always be provided and accepted in accordance with applicable law and company policy. Gifts provided by a supplier to a third party on behalf of HackerOne must be made in compliance with HackerOne’s Anti-Bribery and Corruption Policy. Suppliers acting or purporting to act on HackerOne’s behalf must contact HackerOne’s Legal team for approval prior to giving or accepting gifts to or from any third party, including government or public officials.

1.2 Conflicts of Interest

Suppliers agree that they will avoid any situation that may involve a conflict of interest or the appearance of a conflict of interest in any business dealing with HackerOne. If a potential or actual conflict of interest arises that impedes a supplier’s ability to act objectively in the business relationship with HackerOne, the supplier must disclose all relevant details to HackerOne’s Legal team by contacting HackerOne’s Procurement team at Procurement@hackerone.com and Compliance@hackerone.com. Conflicts of interest or potential conflicts of interest include, but are not limited to: (a) failing to disclose a personal relationship with or financial interest in HackerOne or its team members, (b) acting or attempting to act on confidential information gained from HackerOne in a manner not authorized by HackerOne for personal gain, (c) attempting to win business for any reason (including based on personal relationships) other than objective criteria used to evaluate suppliers (e.g., price, quality, performance, suitability of the product or service, etc.).

1.3 Insider Trading

Suppliers must comply with all insider trading and securities laws and are prohibited from using any material non-public information about HackerOne or its customers obtained in the course of providing services to HackerOne for any purpose other than the purpose for which it was provided.

1.4 Intellectual Property

Suppliers agree to only use HackerOne confidential information, trade secrets, copyrights, patents, trademarks, and other intellectual property in a manner permitted under their contract with HackerOne and in accordance with applicable law. Suppliers also agree that they will not engage in any misuse, misappropriation, or infringement of intellectual property rights in providing services to HackerOne.

1.5 Confidentiality

Suppliers may have access to sensitive data and confidential information. All contracts with HackerOne include confidentiality clauses to protect the confidential and proprietary information of HackerOne, its team members, its users, and its customers. The obligation to safeguard HackerOne information continues after any engagement with HackerOne has ended. This section does not supersede, replace, or conflict with any contractual terms HackerOne may enter into with its suppliers.

1.6 Export Compliance

Suppliers must comply with all applicable trade laws and regulations, including those related to export and import laws, economic sanctions laws, and antitrust laws. Suppliers are responsible for understanding how global trade laws apply and are responsible for ensuring that no transactions involving HackerOne or HackerOne services violate trade laws. Any non-compliance as it relates to HackerOne products or services must be reported immediately by contacting HackerOne’s Procurement team at Procurement@hackerone.com.

1.7 Fair Dealing & Fair Competition

Suppliers must adhere to all laws and regulations relating to fair dealing and fair competition. Suppliers agree that they will not seek competitive advantages through illegal or unethical business practices or share HackerOne confidential information with competitors. Suppliers are prohibited from engaging in price fixing, bid rigging, market allocation, or otherwise unfairly excluding or foreclosing competitors from the marketplace or depriving customers, including HackerOne, of the benefits of competition.

2. Fair Labor and Human Rights

As part of HackerOne’s commitment to Respecting All People, HackerOne expects its suppliers to maintain a workplace that promotes respect, professionalism, and inclusivity, where discriminatory practices, including harassment, are prohibited. All suppliers are expected to share HackerOne’s commitment to upholding fair labor standards; preventing human trafficking, modern slavery, and other forced or child labor; respecting human rights; and providing equal opportunity, and must adhere to the United Nations’s Universal Declaration of Human Rights, UN Guiding Principles on Business and Human Rights, and the International Labor Organization’s Declaration on Fundamental Principles and Rights at Work.

2.1 Freedom of Employment

HackerOne expects all employment with suppliers to be an expression of free choice. Supplier’s workers must be free to voluntarily leave their employment relationship without penalty upon reasonable notice consistent with applicable law. Suppliers are responsible for ensuring their workers are legally permitted to live and work in the territory in which they are performing work. Suppliers must not require their workers to surrender government-issued identification, passports, or work permits and must allow these documents to remain in the possession of their employees. Suppliers must ensure that their employment contracts and other employment-related documents are in a language the employee understands.

2.2 Modern Slavery, Human Trafficking, and Child Labor

HackerOne acknowledges the grave global issue of human trafficking, modern slavery, and other forced or child labor, and the devastating impact it has on individuals, communities, and society as a whole. Accordingly, HackerOne is committed to ensuring that these practices play no part anywhere in its business, including in its supply chain. Accordingly, suppliers must share this commitment to preventing modern slavery, human trafficking, and child or forced labor in their practices and policies.

At a minimum, suppliers must (a) take all reasonable steps to ensure that there is no slavery, servitude, human trafficking, child labor, or other forced labor occurring in their business operations or their supply chain, (b) comply with all applicable laws and regulations regarding modern slavery, child labor, human trafficking, and other forced labor in the performance of their obligations under any agreement with HackerOne, (c) ensure that they do not employ any individual under the minimum age for employment in their applicable country, (d) have procedures in place to verify the age of workers and maintain documentation, and (e) ensure that all workers under the age of 18 do not perform work that is likely to jeopardize their health or safety, including night shifts and overtime.

Suppliers must not use labor of individuals under the age of 15, under the age for completing compulsory education, or under the minimum age for employment in the country, whichever is greatest, in any stage of manufacturing. To the extent a supplier’s operations involve tantalum, tin, tungsten, or gold, the supplier must not directly or indirectly finance or benefit armed groups that are perpetrators of serious human rights abuses in the Democratic Republic of the Congo or any adjoining country. Suppliers must exercise appropriate due diligence on the source and chain of custody of these minerals and be able to provide appropriate documentation proving the foregoing if requested by HackerOne.

2.3 Wages and Benefits

Suppliers are required to ensure compensation paid to their workers complies with all applicable wage laws, including those related to overtime, minimum wage, and benefits. Suppliers must provide all legally required benefits to their workers. Suppliers are also prohibited from using wage deductions as a disciplinary measure.

2.4 Working Hours

Suppliers must ensure that working hours of their employees do not exceed the maximum set forth under applicable law.

2.5 Prohibition on Discrimination and Harassment

HackerOne maintains a safe and humane workplace free from discrimination and harassment on the basis of any protected category and expects its suppliers to adhere to this commitment in their own policies, practices, and operations. Suppliers must have policies and frameworks in place that prohibit and help prevent unlawful discrimination or harassment on the basis of race, color, religion, sex, sexual orientation, age, gender identity or gender expression, national origin, pregnancy, disability or veteran status, or any other protected characteristic as outlined by international, federal, state, or local laws.

2.6 Health & Safety

Suppliers are required to provide and maintain a safe and hygienic work environment with proper governance and policies in place to promote health and safety management in business operations. At a minimum, this includes identifying and managing health and safety hazards (including physical, chemical, and biological agents), adequate training and instruction on health and safety, providing appropriate work-related safety equipment free of charge, a mechanism for reporting health and safety concerns, the ability for workers to remove themselves from harm or report safety concerns without fear of retaliation, maintaining reasonable emergency preparedness plans, and maintaining procedures in place to prevent, manage, track, and report occupational injury and illness.

2.7 Freedom of Association

Supplier’s workers must commit to respecting the legal rights of employees to associate with others and form and join (or refrain from joining) worker organizations, including trade unions. HackerOne also expects its suppliers to encourage and facilitate open communication between management and workers (including the ability to report grievances) without retaliation.

3. Diversity and Equal Opportunity Employment

HackerOne embraces diversity, inclusion, and equal opportunity as core principles of the company. HackerOne recognizes diverse suppliers that are certified as businesses that are a minimum 51% owned and operated by minorities, women, veterans, and persons with disabilities. HackerOne believes that diversity in supply chains contributes to business resiliency and can positively impact local communities. HackerOne expects its suppliers to implement and build upon principles of diversity and inclusion in their own operations as well as their supply chain.

HackerOne is proud to be an Equal Opportunity workplace and an affirmative action employer. HackerOne is committed to equal opportunity in the terms and conditions of employment for all employees and job applicants without regard to race, color, religion, sex, sexual orientation, age, gender identity or gender expression, national origin, pregnancy, disability or veteran status, or any other protected characteristic as outlined by international, federal, state, or local laws. This policy applies to all HackerOne employment practices, including hiring, recruiting, promotion, termination, layoff, recall, leave of absence, compensation, benefits, training, and apprenticeship. HackerOne makes hiring decisions based solely on qualifications, merit, and business needs at the time. HackerOne expects and requires its suppliers to adhere to similar equal opportunity employer principles in its employment practices.

4. Environment & Sustainability

HackerOne is committed to executing a science-based strategy that reduces emissions, protects our environment, and drives meaningful change toward greater sustainability. HackerOne expects its suppliers to recognize the existential risks posed by climate change and environmental degradation, and the need for immediate, ambitious future-focused action.

Accordingly, suppliers must develop, implement, and maintain environmentally sustainable policies, practices, and strategies that exceed or are substantially similar to HackerOne’s Environmental Policy. Suppliers must also, at a minimum, comply with all applicable environmental laws and regulations, implement systematic approaches to identifying, managing, reducing, recycling, and/or responsibly disposing of waste or hazardous substances, and identify, manage, reduce, and responsibly control air emissions emanating from its operations that pose a hazard to the environment.

5. Governance

HackerOne believes that robust governance and management systems are integral to ensuring commitment to corporate ethics and integrity, responsible product sourcing, and the safety and well-being of workers across our global supply chain and compliance with this Supplier Code of Conduct. HackerOne expects its suppliers to develop a culture of compliance that seeks continuous improvement.

5.1 Social and Environmental Due Diligence

Suppliers shall have policies and management systems in place that demonstrate their commitment to identifying and addressing human rights (including human trafficking, forced labor, and child labor), fair employment practices, worker health and safety, diversity and inclusion, and environmental sustainability. Suppliers agree to conduct due diligence in their operations, including their own supply chain, to identify, prevent, and mitigate risks related to business resiliency, human rights, fair employment practices, health and safety, diversity and inclusion, environmental sustainability, corporate ethics, and other legal, compliance, and regulatory issues.

5.2 Risk Management

Suppliers must have applicable business controls in place to detect, prevent, and remediate unlawful or unethical conduct by their employees and agents. Such business controls must be regularly reviewed and updated to ensure consistency with best industry standards and applicable law.

5.3 Documentation

Suppliers shall have processes and controls in place to ensure financial integrity and accurate accounting and records. Suppliers must create and maintain all documents and records required to ensure legal and regulatory compliance in addition to compliance with this Supplier Code of Conduct.

5.4 Training

Suppliers must provide mandatory training on a reasonably regular cadence in order to ensure their team members and agents have appropriate levels of knowledge and skill to maintain compliance with all applicable laws, regulations, standards, and this Supplier Code of Conduct.

6. Monitoring & Compliance

HackerOne may audit compliance with its Supplier Code of Conduct or appoint a third party to conduct such an audit. Any violations will be reported by HackerOne to the attention of its supplier’s management and HackerOne may take appropriate corrective action. HackerOne may terminate its relationship with any supplier that does not comply with the Supplier Code of Conduct or, upon discovery of non-compliance, does not commit to a specific plan to achieve compliance.

7. Reporting Concerns

HackerOne and its suppliers are expected to report violations of HackerOne’s Code of Conduct, this Supplier Code of Conduct, violations of law, or other ethics-related concerns through HackerOne’s Ethics Reporting Form, which allows for anonymous reporting. HackerOne has a stated policy against retaliation, and all reports will be handled sensitively and in accordance with HackerOne policy and applicable law.

8. Performance-Related Evaluation and Termination

HackerOne will regularly conduct performance evaluations of suppliers to ensure efficiency and compliance with quality standards, delivery timelines, and other relevant criteria.

Failure to meet agreed-upon standards may result in the termination of supplier contracts. Such decisions are made based on performance deficiencies, including failure to meet quality standards, delivery timelines, or other contractual obligations.

9. Reasonable Assistance and Cooperation

HackerOne values open and transparent communication with suppliers to address concerns, resolve issues promptly, and foster collaborative relationships. Suppliers must timely respond to HackerOne’s due diligence requests, audit activities, queries from HackerOne personnel pertinent to the supplier’s contract with HackerOne. Suppliers must also provide reasonable assistance with any investigation by HackerOne of a violation of this Supplier Code of Conduct, HackerOne policy, or applicable laws. Suppliers agree to allow HackerOne reasonable access to documentation concerning compliance with this Supplier Code of Conduct and all policies and laws applicable to the scope of goods and services being provided in connection with the supplier’s contract with HackerOne.