Skip to main content
an image of three HackerOne team members working together at their laptop

Pentest Rules of Engagement

Pentesters participating in HackerOne Pentests mayoften have increased levels of internal access and credentials or additional parameters and customer requirements. All HackerOne Pentests are conducted in teams. These RoEs are intended to provide a single source of truth for expectations and guidelines while participating in a pentest. Scope specifics, as well as testing requirements and conditions, will be provided in the Policy page for the applicable pentest.

Code of Conduct

Background Checks and ID Verification

In order to qualify as a HackerOne Pentester, HackerOne must confirm certain information about you and also onboard you into HackerOne’s Clear program. In addition to the Rules of Engagement for Pentest, you will also be required to accept the HackerOne Clear Rules of Engagement/Additional Terms (the “HackerOne Clear RoE”). In accepting the HackerOne Clear RoE, you acknowledge and agree that HackerOne will conduct such background investigations and ID Verification, and consent to HackerOne conducting each, as these are necessary to participate in any HackerOne Pentest. You may obtain a copy or summary of these reports on written request.

Current Vendor for ID Verification: Berbix
Current Vendor for Background Checks: First Advantage

Respect Confidentiality Guidelines, Disclosure Guidelines and NDAs
Respect HackerOne’s Code of Conduct
Only use official communication channels
Submit Reports through Pentest Program Only
Satisfactory Performance
Respect your peers
General Provisions

Investigation and Enforcement

If a complaint is received from a customer, team member, another pentester, or if HackerOne observes something that appears to violate the Code of Conduct and/or these Rules of Engagement, HackerOne will in all cases:

  • Assume good intent: HackerOne trusts that pentesters will want to do the right thing.
  • Investigate fully so HackerOne understands what did (and did not) happen. HackerOne will speak to all parties involved, where appropriate, and attempt to provide a neutral viewpoint.
  • Repercussions: If HackerOne determines the pentester has violated the Code of conduct and/or these rules of engagement, there will be disciplinary actions depending on the severity and HackerOne’s assessment of intent. Repercussions could include, depending on severity, temporary bans and permanent bans from HackerOne Pentest, HackerOne Clear, Clear programs and/or the platform.

These rules of engagement will be enforced in accordance with the action guidelines below.

IncidentFirst OffenseSecond OffenseThird Offense
Breaking H1 Pentest Rules of EngagementTemporary Ban from Pentest & Removal from all Pentest Programs (3 months)Temporary Ban from Pentest & Removal from all Pentest Programs (6 months)Permanent Ban from Pentest & Removal from all Pentest Programs

Please note, however, that HackerOne reserves the right to escalate the severity of enforcement and sanctions in accordance with the nature of the offense and irrespective of previous offenses. Depending upon the severity of the offense, sanctions may include, without limitation, longer temporary bans, immediate removal from HackerOne Pentests, HackerOne Clear and/or Clear programs, and/or a permanent ban from the HackerOne Platform.