HackerOne strives to be a safe and transparent environment its users.
We collect some information from you when you create an account so that you can use the Services.
We also collect some information to make sure HackerOne works properly and to improve user experience. This may include using Your Information for analytical purposes.
Below is a more detailed explanation of the information we collect and use.
Whether or are a Customer or a Finder, when you create an account with HackerOne, you are required to provide us with profile information, including your name, company name (if applicable), username, password and email address. HackerOne stores this information to help identify you when you log in and help you communicate with other users.
Once you've registered with HackerOne, you create a user profile where you post information to help you communicate with other HackerOne users. Your profile information includes your name, company name (if applicable), username, and user identification number. You can also choose to add additional profile information, including a profile picture, your city and state, mobile phone, and any other information you like in the "About" field. We may display your profile information on our site, so that other users of HackerOne and visitors to our web site will be able to see that profile information.
If you are a Customer, in addition to your profile information, you may provide us with financial information, including your credit card or debit card information, or your banking information, in order to assist us in awarding Bounties, collecting Bounty Deposits or collecting HackerOne Fees.
If you are a Finder, in addition to your profile information, you may provide us with other personally identifying information, including your mailing address, your social security number (or tax identification number), and/or your banking or PayPal information in order to allow us to pay you monetary Bounty awards from Customers. If you are Finder and you prefer, your name may be a pseudonym instead of a legal name.
In addition to personal information, we collect any Vulnerability Reports and content that you submit, post, or display on the Services.
We receive some information automatically when you visit HackerOne. This includes information about the device, browser and operating system you use when accessing our site and Services, your IP address, the website that referred you to HackerOne, which pages you request and visit, and the date and time of each request you make to HackerOne. If you visit HackerOne when you are logged into your account, we also collect the user identification number we assign you when you open your account.
We retain access logs for 180 days, and then delete them.
When you log in to your account, HackerOne will place a cookie for the purpose of creating the session and knowing when you're logged in. The cookie contains an encrypted user identifier.
HackerOne sometimes partners with third-party services which may use various tracking technologies to provide certain services or features, including targeted online marketing. These technologies allow a partner to recognize your computer or mobile device each time you visit HackerOne, but do not allow access to Your Information from HackerOne. For a list of current partners, please contact us at email@example.com.
Most browsers include an option to clear existing cookies or reject new ones. If you prefer not to use any cookies, you can also opt out in some browsers by turning on "Do Not Track" or visit https://www.aboutads.info/choices to opt out directly. However, if you reject new cookies, portions of HackerOne will not function as intended. We currently do not support Do Not Track browser settings.
We may use Your Information when needed to keep the site and Services running and prevent abuse. Your Information is used internally only where necessary to provide our Services. In addition, if we employ other companies and people to perform tasks on our behalf, we may share Your Information with them as needed to provide the Services to you. Unless we tell you differently, our agents do not have any right to use any personal information we share with them beyond what is necessary to assist us.
For Finders who participate in certain Programs of particular Customers, to the extent described in the Program Policies, HackerOne may share contact information about those Finders (name, company name (if applicable) and email address) to allow those Customers to contact those Finders to allow them to interact directly.
We may share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling and other similar purposes.
Information that we collect from all of our users, including Your Information, is considered to be a business asset. Thus, if we are acquired by a third party as a result of a transaction such as a merger, acquisition or asset sale, or if our assets are acquired by a third party in the event that we go out of business or enter bankruptcy, some or all of our assets, including Your Information, may be disclosed or transferred to a third party acquirer in connection with the transaction.
We will cooperate with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose Your Information to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (i) to comply with law, regulation or valid legal process (including orders and subpoenas); or (ii) to protect our property, rights and safety and the property, rights and safety of a third party or the public in general. If we are going to release Your Information, our policy is to provide you with notice unless we are prohibited from doing so by law or court order (including orders under 18 U.S.C. § 2705(b)).
You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible on our site and Services. However, public reports and associated information that you've submitted will still be available on HackerOne. For this reason, users can't entirely delete their accounts.
HackerOne will use reasonable efforts to secure information submitted to us by our users. We use encryption (HTTPS/TLS) to protect data transmitted to and from our site. However, no data transmission over the internet is completely secure, so we cannot guarantee the absolute security of this data. You use the Services at your own risk, and are responsible for taking reasonable measures to secure your account (such as keeping your password secret).
We welcome minors to submit reports to HackerOne. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13.
HackerOne is not directed to people 12 and younger. If you are under 13 and want to submit a report to us, please ask your parent or guardian to submit it for you. If we become aware that we have collected personal information from a child under 13, we will delete that information.
Your Information may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide Your Information to us, we may transfer Your Information to the United States and process it there.
If you are a California resident, you may request and obtain from us, once a year, free of charge, a list of third parties, if any, to which we disclosed your Information for direct marketing purposes during the preceding calendar year and the categories of Your Information shared with those third parties. If you are a California resident and wish to obtain that information, please submit a request by sending us an email at firstname.lastname@example.org with "California Privacy Rights" in the subject line or by writing to us at HackerOne, 535 Mission St., Suite 1416, San Francisco, CA 94105.