Pentest Rules of Engagement

Pentesters are prohibited from sharing information outside of the specific channels created for the specific Pentest/Program. Specifically created channels include communications within the HackerOne platform and any Pentest- or Program-specific Slack instances.

Pentesters must strictly comply with all confidentiality guidelines, requirements and obligations related to the Pentests/Programs in which they participate. These guidelines apply to vulnerability information, customer information, policy or scope details, bugs, account information, and any other Program-specific information. This also includes information related to the HackerOne Pentest product itself.

If a Program or Pentest requires an additional NDA or other contractual agreement, it is fundamental to respect these signed documents and comply with their requirements. Disclosing information in violation of confidentiality guidelines and/or applicable NDAs/contracts is strictly prohibited. Failing to comply will be a breach of your obligations to the customer and could result in direct action against you.

No disclosure of any vulnerability reports from any HackerOne Pentests may be made without the Customer’s explicit written approval via a communication within the HackerOne platform. This supersedes the standard disclosure process described in the HackerOne Disclosure Guidelines available at https://www.hackerone.com/disclosure-guidelines.

Without limiting any confidentiality obligations you may have under the HackerOne Pentest’s program, you agree that you can make no disclosure of any HackerOne Pentests Customer’s name without explicit written approval from the customer via in-platform communication.

Specifically, and without limiting the prior statement, you may make no posting on social media regarding any HackerOne Pentest Customer or Pentest and related activities without explicit written permission from the customer. Requests for such permission needs to be in written format via the HackerOne platform.

All Pentesters must adhere to HackerOne’s Code of Conduct; we expect all Pentesters to act in accordance with the highest professional and ethical standards. Any violation of these Rules of Engagement, misbehavior or other Code of Conduct violations could result in immediate termination as a HackerOne Pentester, Clear Finder and/or removal from Clear Programs and/or the Platform generally.

Slack is the communication tool that HackerOne uses to facilitate direct communication between Pentesters, HackerOne staff and customers. In your communications, you should be responsive, professional, and respectful to customers and HackerOne employees. Discussing the details of vulnerabilities outside of the official channels is insecure and can result in removal as a Pentester, a HackerOne Clear Finder or sanctions against your HackerOne account generally. Upon request, pentesters may be required to provide all testing notes, documentation and materials to HackerOne’s Technical Program Manager. Pentesters should delete all documentation stored locally or in third-party tools upon completion of the engagement and any retests.

All vulnerabilities found during a Pentest engagement should be submitted only to the specific Program created for the Pentest, and no others. Reporting findings discovered during a Pentest engagement to a standard Bug Bounty Program is prohibited and doing so will result in enforcement action/sanctions.

HackerOne Pentest rewards Finders for their time. Pentesters must spend the minimum amount of hours identified in the Pentest description described in the application process for the particular Pentest. Failing to appropriately send the time allocated for the Pentest or failing to perform the reasonably expected level of testing during such allocated time can result in removal from future HackerOne Pentests or other enforcement actions. If you find you can not perform the Pentest after you have been scheduled for such Pentest, then you should immediately inform the HackerOne staff.

Collaboration is a Key element of HackerOne Pentest. You will be working with other pentesters from different backgrounds, locations, and cultures. Be respectful to your peers, and expect them to be respectful in return. Be open minded, and do your best to win as a team. If a disagreement occurs, please be professional. Report any concerning behavior or abusive comments or unprofessional actions to any member of the HackerOne staff.

As stated above, if there is any conflict between the Finder Terms, the General Terms or the HackerOne Clear RoE and these HackerOne Pentest Terms, these HackerOne Pentest Terms will control. Any waiver, modification or amendment of any provision of these HackerOne Pentest Terms will be effective only if in writing and signed by HackerOne. These HackerOne Pentest Terms may be executed in counterparts, each of which will be deemed an original, and all of which together will constitute one and the same instrument, and may be executed digitally through digital signature or online acceptance. The exchange of a fully executed document (in counterparts or otherwise) by facsimile signature or by other electronic means, such as by portable document format (.pdf) file, shall be sufficient to bind you to these terms.

Pentester/Finder:

An individual or entity using the HackerOne Platform to provide Finder Submissions through Pentests.

Report Details:

Data in a report that includes payloads, custom built modules/tools, custom built scripts, or anything that could be considered unique or proprietary to the program or the report itself.