Pentest Rules of Engagement
Pentesters participating in HackerOne Pentests mayoften have increased levels of internal access and credentials or additional parameters and customer requirements. All HackerOne Pentests are conducted in teams. These RoEs are intended to provide a single source of truth for expectations and guidelines while participating in a pentest. Scope specifics, as well as testing requirements and conditions, will be provided in the Policy page for the applicable pentest.
Background Checks and ID Verification
In order to qualify as a HackerOne Pentester, HackerOne must confirm certain information about you and also onboard you into HackerOne’s Clear program. In addition to the Rules of Engagement for Pentest, you will also be required to accept the HackerOne Clear Rules of Engagement/Additional Terms (the “HackerOne Clear RoE”). In accepting the HackerOne Clear RoE, you acknowledge and agree that HackerOne will conduct such background investigations and ID Verification, and consent to HackerOne conducting each, as these are necessary to participate in any HackerOne Pentest. You may obtain a copy or summary of these reports on written request.
Current Vendor for ID Verification: Berbix
Current Vendor for Background Checks: First Advantage
Pentesters are prohibited from sharing information outside of the specific channels created for the specific Pentest/Program. Specifically created channels include communications within the HackerOne platform and any Pentest- or Program-specific Slack instances.
Pentesters must strictly comply with all confidentiality guidelines, requirements and obligations related to the Pentests/Programs in which they participate. These guidelines apply to vulnerability information, customer information, policy or scope details, bugs, account information, and any other Program-specific information. This also includes information related to the HackerOne Pentest product itself.
If a Program or Pentest requires an additional NDA or other contractual agreement, it is fundamental to respect these signed documents and comply with their requirements. Disclosing information in violation of confidentiality guidelines and/or applicable NDAs/contracts is strictly prohibited. Failing to comply will be a breach of your obligations to the customer and could result in direct action against you.
No disclosure of any vulnerability reports from any HackerOne Pentests may be made without the Customer’s explicit written approval via a communication within the HackerOne platform. This supersedes the standard disclosure process described in the HackerOne Disclosure Guidelines available at https://www.hackerone.com/disclosure-guidelines.
Without limiting any confidentiality obligations you may have under the HackerOne Pentest’s program, you agree that you can make no disclosure of any HackerOne Pentests Customer’s name without explicit written approval from the customer via in-platform communication.
Specifically, and without limiting the prior statement, you may make no posting on social media regarding any HackerOne Pentest Customer or Pentest and related activities without explicit written permission from the customer. Requests for such permission needs to be in written format via the HackerOne platform.
All Pentesters must adhere to HackerOne’s Code of Conduct; we expect all Pentesters to act in accordance with the highest professional and ethical standards. Any violation of these Rules of Engagement, misbehavior or other Code of Conduct violations could result in immediate termination as a HackerOne Pentester, Clear Finder and/or removal from Clear Programs and/or the Platform generally.
Slack is the communication tool that HackerOne uses to facilitate direct communication between Pentesters, HackerOne staff and customers. In your communications, you should be responsive, professional, and respectful to customers and HackerOne employees. Discussing the details of vulnerabilities outside of the official channels is insecure and can result in removal as a Pentester, a HackerOne Clear Finder or sanctions against your HackerOne account generally. Upon request, pentesters may be required to provide all testing notes, documentation and materials to HackerOne’s Technical Program Manager. Pentesters should delete all documentation stored locally or in third-party tools upon completion of the engagement and any retests.
All vulnerabilities found during a Pentest engagement should be submitted only to the specific Program created for the Pentest, and no others. Reporting findings discovered during a Pentest engagement to a standard Bug Bounty Program is prohibited and doing so will result in enforcement action/sanctions.
HackerOne Pentest rewards Finders for their time. Pentesters must spend the minimum amount of hours identified in the Pentest description described in the application process for the particular Pentest. Failing to appropriately send the time allocated for the Pentest or failing to perform the reasonably expected level of testing during such allocated time can result in removal from future HackerOne Pentests or other enforcement actions. If you find you can not perform the Pentest after you have been scheduled for such Pentest, then you should immediately inform the HackerOne staff.
Collaboration is a Key element of HackerOne Pentest. You will be working with other pentesters from different backgrounds, locations, and cultures. Be respectful to your peers, and expect them to be respectful in return. Be open minded, and do your best to win as a team. If a disagreement occurs, please be professional. Report any concerning behavior or abusive comments or unprofessional actions to any member of the HackerOne staff.
As stated above, if there is any conflict between the Finder Terms, the General Terms or the HackerOne Clear RoE and these HackerOne Pentest Terms, these HackerOne Pentest Terms will control. Any waiver, modification or amendment of any provision of these HackerOne Pentest Terms will be effective only if in writing and signed by HackerOne. These HackerOne Pentest Terms may be executed in counterparts, each of which will be deemed an original, and all of which together will constitute one and the same instrument, and may be executed digitally through digital signature or online acceptance. The exchange of a fully executed document (in counterparts or otherwise) by facsimile signature or by other electronic means, such as by portable document format (.pdf) file, shall be sufficient to bind you to these terms.
- An individual or entity using the HackerOne Platform to provide Finder Submissions through Pentests.
- Report Details:
- Data in a report that includes payloads, custom built modules/tools, custom built scripts, or anything that could be considered unique or proprietary to the program or the report itself.
Investigation and Enforcement
If a complaint is received from a customer, team member, another pentester, or if HackerOne observes something that appears to violate the Code of Conduct and/or these Rules of Engagement, HackerOne will in all cases:
- Assume good intent: HackerOne trusts that pentesters will want to do the right thing.
- Investigate fully so HackerOne understands what did (and did not) happen. HackerOne will speak to all parties involved, where appropriate, and attempt to provide a neutral viewpoint.
- Repercussions: If HackerOne determines the pentester has violated the Code of conduct and/or these rules of engagement, there will be disciplinary actions depending on the severity and HackerOne’s assessment of intent. Repercussions could include, depending on severity, temporary bans and permanent bans from HackerOne Pentest, HackerOne Clear, Clear programs and/or the platform.
These rules of engagement will be enforced in accordance with the action guidelines below.
|Incident||First Offense||Second Offense||Third Offense|
|Breaking H1 Pentest Rules of Engagement||Temporary Ban from Pentest & Removal from all Pentest Programs (3 months)||Temporary Ban from Pentest & Removal from all Pentest Programs (6 months)||Permanent Ban from Pentest & Removal from all Pentest Programs|
Please note, however, that HackerOne reserves the right to escalate the severity of enforcement and sanctions in accordance with the nature of the offense and irrespective of previous offenses. Depending upon the severity of the offense, sanctions may include, without limitation, longer temporary bans, immediate removal from HackerOne Pentests, HackerOne Clear and/or Clear programs, and/or a permanent ban from the HackerOne Platform.