HackerOne Privacy Policy

Effective as of December 31st, 2019, HackerOne Inc. and its affiliates (collectively, "HackerOne", "we", "us", or "our") have updated our Privacy Policy.

Your data is your data. HackerOne is committed to ensuring the privacy of your data. We are further committed to preventing unauthorized access to that data. Our Privacy Policy details what data is collected from our customers and hackers, how we use it, and how it is stored.

1. WHO WE ARE

HackerOne is an industry leader in hacker-powered security. HackerOne partners with the global security researcher community, which we refer to as finders or hackers, to provide businesses with access to top talent hackers who identify and surface relevant security issues in a business's products or services. HackerOne operates a bug bounty & vulnerability disclosure software-as-a-service platform known as the HackerOne Platform, the website located at hackerone.com and related domains and subdomains, and related services, including live hacking events, marketing, and customer service (collectively referred to as "Services"). HackerOne is a Delaware corporation headquartered in San Francisco, California with offices in London, New York, the Netherlands, France, and Singapore.

We respect your privacy and take safeguarding your data seriously. Please read this Privacy Policy carefully together with the General Terms and Conditions ("Terms") available at https://www.hackerone.com/terms/general, which governs your use of the Services, to understand what Personal Information (defined below) we collect from you, how we use it, and your choices related to our use of your Personal Information. If you do not agree with this Privacy Policy, please do not use the Services.

2. WHAT IS PERSONAL INFORMATION?

"Personal Information" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Under specific laws, Personal Information may include any information relating to a household.

3. PERSONAL INFORMATION WE PROCESS

We process Personal Information that you actively submit to us, that we automatically collect through your use of our Services, and that we collect from third-party sources. We may process your Personal Information with or without automatic means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of your Personal Information. We do not sell the Personal Information we collect to other parties.

3.1 Personal Information that you actively submit to us.

We collect Personal Information that you actively submit to us through your account, website forms, email subscriptions, surveys, events, conferences, customer service, inquiries, and other interactions. You will know when we collect your Personal Information because we will directly ask you for the information. Examples are provided below. We will require certain Personal Information in order for you to use our Services or for us to be able to contact you. There may also be circumstances where providing Personal Information is optional and does not impact your access to Services.

3.1.1 Your Account. Whether you are a customer or a finder (or both), when you create a HackerOne account, you are required to provide us with profile information, including your email address and password. HackerOne stores this information to help identify you when you log in. Once you've registered, you create a user profile. Your profile information includes your name (if you choose to provide it), chosen username, company name (if applicable), and if you choose, a profile photo, your location, your social media and other third-party affiliations, and any other information you include in the "About me" or "Intro" fields. We may display your profile information on our site where other users of the Services and visitors to our website will be able to see that information. If you enable two-factor authentication, we will store a phone number used for account recovery purposes.

If you are a customer, in addition to your profile information, you may provide us with financial information, such as your credit card or debit card information or your banking information, in order to assist us in awarding bounties, collecting bounty deposits, or collecting HackerOne fees.

If you are a finder, in addition to your profile information, you may need to provide us with other personally identifying information necessary for background and fraud checking purposes where required. This includes your date of birth, nationality, current and previous addresses, your social security number (or tax identification number), and for bounty award purposes, your banking, Coinbase, PayPal, or similar information in order to allow us to pay you monetary bounty awards from customers. In addition, in order that we can award any "swag" where available, we may ask for information such as a mailing address, telephone number, and clothing size. In addition to Personal Information we collect, your profile may be publicly associated with any vulnerability reports or other content that you submit, in the event these are published on the Services.

3.1.2 Events. We host events to bring together industry professionals in a casual setting. We also host live hacking events where top finders from all over the globe join together to find vulnerabilities on HackerOne customer programs. To register in advance for these events, we may collect your first name, last name, email address, company name (if applicable), job title (if applicable), and give you an option to provide us a website reference.

3.1.3 Email Subscriptions. We actively communicate with subscribers through newsletters, webinars, and education content, and also send emails about product updates, events, the status of the HackerOne Platform, and updates to the third-party service providers (sub-processors) used to process Personal Information. A subscriber may be required to provide their email address and other contact information to receive communications.

3.1.4 Text Subscriptions. We may communicate with subscribers through text messages concerning the status of the HackerOne Platform. A subscriber is required to provide their phone number to receive texts.

3.1.5 Surveys. We occasionally conduct surveys in order to gather data central to assessing our business objectives and understanding the hacker community. Participation in surveys is always optional. Information provided in surveys is anonymized and aggregated for analysis.

3.1.6 Contact Us. There are multiple opportunities for you to contact us, including for support, to report a bug, make a suggestion, make a sales inquiry, request a product demonstration, request research, and for customer service. Online forms collect Personal Information such as a first name, last name, email address, company (if applicable), job title (if applicable), reason for contact, and may provide an option to attach a file. When we contact you in response to your request, we may collect additional Personal Information.

3.2 Personal Information we automatically collect through your use of the Services.

We receive some Personal Information automatically when you visit HackerOne Services. This includes information about the device, browser, and operating system you use when accessing our site and Services, your IP address, the website that referred you, which pages you request and visit, and the date and time of each request you make. If you visit the HackerOne Platform when you are logged into your account, we also collect the user identification number we assign you when you open your account.

3.3 Personal Information we collect from third-party sources.

We are continually expanding our customer reach. As part of our business-to-business marketing, we collect Personal Information from third-party sources to identify individuals who hold relevant job roles in key industries. Personal Information collected generally includes a first name, last name, job title, company name, email address, and phone number. We generally communicate via email or telephone to provide information about HackerOne programs and offer businesses an opportunity to try out HackerOne Services.

3.4 Personal Information of minors.

We welcome all hackers to register a HackerOne account as a finder, participate in our programs, and submit reports to HackerOne. We believe that skilled hackers are not determined by age. However, applicable laws may restrict our ability to collect Personal Information from minors unless we have first obtained the consent of the minor's parent or guardian. Please note that the definition of a minor varies by jurisdiction and various laws institute age related requirements. If you are considered a minor and want to submit a vulnerability report to us, please ask your parent or guardian to submit it for you. Please note that in addition, any bounty payments that may apply are only issued to an adult. HackerOne does not otherwise knowingly collect Personal Information of minors, and the HackerOne Services are not directed to minors. If we become aware that we have collected Personal Information from a minor in conflict with applicable law, we will delete that information or obtain the requisite consent from the minor's parent or guardian.

3.5 Personal Information we collect using cookies and similar tracking technologies.

We (and the third-party service providers working on our behalf) use various technologies to collect Personal Information. This may include saving cookies to your device. For information on what cookies are, which ones we use, why we use them, and how you can manage their use, please see our Cookies Policy.

4. HOW WE USE YOUR PERSONAL INFORMATION

We use your Personal Information to operate our Services, fulfill our contractual obligations in our service contracts with customers, to review and enforce compliance with our Terms, guidelines, and policies, to analyze the use of the Services in order to understand how we can improve our content and service offerings and products, and for administrative and other business purposes. We process Personal Information for sales leads, subscription services, payments, employee training, marketing, data analysis, security monitoring, auditing, research, and to comply with applicable laws, exercise legal rights, and meet tax and other regulatory requirements.

In this context, the legal basis for our processing of your Personal Information is either the necessity to perform contractual and other obligations, our legitimate business interest as a provider of security services, regulatory requirements, or in some instances your explicit consent.

5. SHARING OF PERSONAL INFORMATION

WE DO NOT SELL YOUR PERSONAL INFORMATION!

We may share your Personal Information in the following circumstances:

5.1 Third-party Service Providers.

We may share information we collect about you with third-party service providers to perform tasks on our behalf in supporting the Services. The types of service providers, or sub-processors, to whom we entrust Personal Information include: (i) payment providers; (ii) providers of hosting services; (iii) sales and marketing providers; (iv) providers of document and content management tools; (iv) providers of analytic data services; and (v) other services such as system support, subscription services, verification, and ticketing.

5.2 Customers.

For finders who participate in certain customer programs, to the extent described in the policies of such customer programs, HackerOne may share contact information about those finders (for example, name, company name (if applicable), and email address) to allow those customers to contact those finders to allow them to interact directly or as otherwise authorized by the finder with respect to the specific customer program or service. For finders who choose to submit a vulnerability report directly to a customer outside the HackerOne Platform, HackerOne may provide that customer with a reference to your public profile information. As outlined in the Terms, in the event of a serious security concern, HackerOne may determine, in its sole discretion, that Personal Information will be shared with a customer to identify and resolve the security concern.

5.3 Regulatory Bodies, Public Authorities, and Law Enforcement.

We may access and disclose your Personal Information to regulatory bodies if we have a good-faith belief that doing so is required under applicable law or regulation. This may include submitting Personal Information required by tax authorities. We may disclose your Personal Information in response to lawful requests by public authorities or law enforcement, including to meet national security or law enforcement requirements. If we are going to release your Personal Information in this instance, our policy is to provide you with notice unless we are prohibited from doing so by law or court order (including orders under 18 U.S.C. § 2705(b)).

5.4 Merger, Sale, or Other Asset Transfers.

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, then your Personal Information may be disclosed or transferred as part of such a transaction as permitted by law and/or contract. Should such an event occur, HackerOne will endeavor to direct the transferee to use Personal Information in a manner that is consistent with the Privacy Policy in effect at the time such Personal Information was collected.

5.5 Other Disclosures.

Where there is agreement by customers and finders that vulnerability reports are publicly disclosed, then certain information about the report associated with your profile may be published through our Services. We may share Personal Information with our affiliated companies. We may also disclose your Personal Information to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of HackerOne, other users of our Services, of any other individuals, or of the general public; to maintain and protect the security and integrity of our Services or infrastructure; to protect HackerOne and our Services from fraudulent, abusive, or unlawful uses; or to investigate and defend HackerOne against third-party claims or allegations. Disclosures may be made to courts of law, attorneys and law enforcement, or other relevant third parties in order to meet these purposes.

Please note that we share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling, and other similar purposes. In addition, our Services may contain links to other websites not controlled by us, and these other websites may reference or link to our Services; we encourage you to read the privacy policies applicable to these other websites.

If we transfer Personal Information of individuals located in the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland that we have received under the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework ("Privacy Shield") to a third party, HackerOne remains liable for such Personal Information and the actions of such third party.

5.6 California Consumer Privacy Act of 2018 ("CCPA").

Pursuant to §§ 1798.110 and 1798.115 of the CCPA, the categories of Personal Information we have collected about consumers and disclosed about consumers for a business purpose in the preceding 12 months are:

  • Identifiers such as a real name, alias, postal address, email address, unique personal or online identifier, Internet Protocol address, account name, SSN, driver's license or passport number, or other similar identifiers;
  • Other information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including signature, bank account number, credit card number, debit card number, or any other financial information;
  • Commercial information, including products or services purchased, obtained, or considered; other purchasing or consuming histories or tendencies;
  • Internet or other electronic network activity information, including, browsing history, search history, and information regarding a consumer's interaction with an internet website, or advertisement;
  • Professional or employment-related information; and
  • Inferences drawn from any of the information identified to create a profile about a consumer reflecting the consumer's preferences, intelligence, abilities, and aptitudes (applies only to finders who have registered an account and participate in programs and subsequent skill ratings).

Please note that not all of this information is collected or disclosed from all consumers using our Services.

6. RETENTION OF PERSONAL INFORMATION

HackerOne retains Personal Information for a reasonable time period to fulfill the processing purposes mentioned above. Personal Information is then archived for time periods required or necessitated by law or legal considerations. When archival is no longer required, Personal Information is deleted from our records.

You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible on the Services. However, for the purposes mentioned above, we may need to retain information within our internal systems. In addition, public vulnerability reports and associated information that you have submitted will still be available on the Services.

We retain Personal Information that we are required to retain to meet our regulatory obligations including tax records and transaction history. We regularly review our retention policies to ensure compliance with our obligations under data protection laws and other regulatory requirements. We regularly audit our databases and archived information to ensure that Personal Information is only stored and archived in alignment with our retention policies.

7. PROTECTION OF PERSONAL INFORMATION

HackerOne uses technical and organizational measures to protect the Personal Information that we store, transmit, or otherwise process, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems.

However, you should keep in mind that the Services are run on software, hardware, and networks, any component of which may, from time to time, require maintenance or experience problems or breaches of security beyond our control. Please also be aware that despite our best efforts to ensure the security of your data, we cannot guarantee that your information will be 100% secure.

Please recognize that protecting your Personal Information is also your responsibility. We urge you to take every precaution to protect your information when you are on the Internet, such as using a strong password, keeping your password secret, and using two-factor authentication. If you have reason to believe that the security of your account might have been compromised (for example, your password has been leaked), or if you suspect someone else is using your account, please let us know immediately.

8. INTERNATIONAL DATA TRANSFER

Your Personal Information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide your Personal Information to us, we will transfer your Personal Information to the United States and process it there. Where we transfer your Personal Information, we will take all reasonable steps to ensure that your privacy rights continue to be protected.

In the case of transfers of data out of Europe, we have committed to comply with the Privacy Shield. We endeavor to utilize third-party service providers from the United States that have certified with Privacy Shield or alternatively provide adequate protections that are compliant with the EU General Data Protection Regulation ("GDPR") such as implementing Standard Data Protection Clauses or Binding Corporate Rules.

8.1 Our Commitment to the Privacy Shield.

HackerOne complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information transferred from the EEA, UK, and Switzerland to the United States in reliance on Privacy Shield. HackerOne has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.

As part of its participation in Privacy Shield, HackerOne is subject to the investigatory and enforcement powers of the Federal Trade Commission. Organizations participating in the Frameworks must respond within 45 days of receiving a complaint. If you have not received a timely or satisfactory response to your question or complaint, please contact the JAMS Privacy Shield Program. Their website can be accessed at: https://www.jamsadr.com/eu-us-privacy-shield.

Please note that this independent dispute resolution body is designated to address complaints and provide appropriate recourse free of charge to the individual.

If an individual's complaint cannot be resolved through HackerOne's internal processes, HackerOne will cooperate with JAMS pursuant to the JAMS International Mediation Rules, available on the JAMS website at https://www.jamsadr.com/international-mediation-rules/. JAMS mediation may be commenced as provided for in the relevant JAMS rules. The mediator may propose any appropriate remedy, such as deletion of the relevant personal data, publicity for findings of noncompliance, payment of compensation for losses incurred as a result of noncompliance, or cessation of processing of the personal information of the individual who brought the complaint. The mediator or the individual also may refer the matter to the Federal Trade Commission. Under certain circumstances, individuals also may be able to invoke binding arbitration to address complaints about HackerOne's compliance with the Privacy Shield Principles.

9. PRIVACY RIGHTS

In compliance with the Privacy Shield, individuals have the right to access Personal Information and to correct, amend, restrict, or delete that information where it is inaccurate, or has been processed in violation of the Privacy Shield principles, except where the burden or expense of providing access is disproportionate to the risks to the individual's privacy in the case in questions, or where the rights of persons other than the individual will be violated.

If you have a HackerOne account, we rely upon you to keep your information up to date. You may edit your profile information and may also choose to disable your HackerOne account at any time through your account settings. For subscription services, such as newsletters, webinars, events, and the like, we offer you the ability to manage your preferences and choose whether to receive email communication for each service. To manage your preferences, please visit the Email Subscription Preference Center at https://ma.hacker.one/SubscriptionManagement.html. Where you are receiving communication from us of a marketing nature, we provide the ability for you to unsubscribe directly from the email.

Where we rely upon consent as a legal basis for processing, you may withdraw your consent at any time. Please note the withdrawal of your consent does not affect the lawfulness of processing based on consent before withdrawal.

Individuals in the EEA, UK, and Switzerland have certain rights that may be subject to limitations and/or restrictions. These rights include the right to: (i) request access to and rectification or erasure of their Personal Information; (ii) obtain restriction of processing or to object to processing of their Personal Information; and (iii) ask for a copy of their Personal Information to be provided to them, or a third party, in a digital format. If you wish to exercise one of the above-mentioned rights, please send us your request to the contact details set out below. Individuals also have the right to lodge a complaint about the processing of their Personal Information with their local data protection authority.

Personal Information subject rights under the CCPA may also apply to certain individuals and households. These rights include the right to: (i) know what Personal Information is being collected about them, (ii) know whether their Personal Information is sold or disclosed at to whom, (iii) say no to the sale of Personal information, (iv) access their Personal Information, and (v) equal service and price, even if they exercise their privacy rights.

You may also contact us with your Personal information inquiries or for assistance in modifying or updating your Personal Information and to exercise any additional applicable statutory rights. We respect the privacy of all individuals and invite you to submit your requests, irrespective of where you reside. Our contact details are provided at the end of this Privacy Policy.

10. CHANGES TO THIS POLICY

We may modify this Privacy Policy from time to time, which will be indicated by changing the date indicated at the top of this page. The most current version of the Privacy Policy will govern our use of your Personal Information and will always be at https://www.hackerone.com/privacy. If we make changes that we believe will substantially alter your rights, we will notify you by email (sent to the email address specified in your HackerOne account), by means of a notice on our Services prior to the change becoming effective, or as otherwise required by law. In certain cases, we may also seek your consent to further use of your Personal Information where this is required.

11. CONTACT INFORMATION

If you would like to contact us with questions or concerns about this Privacy Policy, our privacy practices, or would like to exercise your privacy rights, you may contact us via any of the following methods:

Email: privacy@hackerone.com

Toll-free Number (USA): +1 (855) 242-8699

Mailing Address:

Attn: Privacy Officer
HackerOne Inc.
22 4th Street, 5th Floor
San Francisco, CA 94103
United States of America

Our EU representative:

 

Attn: Privacy Officer
HackerOne B.V.
Griffeweg 97/4
9723 DV Groningen
The Netherlands