HackerOne Privacy Policy

Last Updated: May 30th, 2018

HackerOne strives to be a safe and transparent environment for its users.

We want to make sure you, as a Customer or Finder, understand what information we collect from you and why. We also want you to know about our information use practices so that you can make good decisions about how you use HackerOne. This Privacy Policy explains what information we collect from and about you, (collectively, "Your Information") and what we do with it.

Please read this Privacy Policy carefully. Remember that your use of our Services and all interactions you have with the HackerOne website are subject to the General Terms and Conditions located at https://www.hackerone.com/terms/general, which incorporates this Privacy Policy. This Privacy Policy covers our treatment of Your Information, but does not apply to the practices of companies we don't own or control, or people that we don't manage. If you have concerns about our data collection and use practices, as explained below, please do not use HackerOne.

If you reside within the European Union (EU), European Economic Area (EEA), or Switzerland, HackerOne, Inc. will be the data controller responsible for processing Your Information. HackerOne, Inc. has also appointed HackerOne B.V. as its EU representative who can alternatively be contacted by you on matters relating to the processing of Your Information under this Privacy Policy. See the Contact section of this Privacy Policy for details.

Some capitalized terms used in this Privacy Policy are defined in the General Terms and Conditions.

1. The Information We Collect

We collect some information from you when you create an account so that you can use the Services.

We also collect some information to make sure HackerOne works properly and to improve user experience. This may include using Your Information for analytical purposes.

Below is a more detailed explanation of the information we collect and use.

1.1. Information We Collect Directly From You

Whether or are a Customer or a Finder, when you create an account with HackerOne, you are required to provide us with profile information, including your name, company name (if applicable), username, password, and email address. HackerOne stores this information to help identify you when you log in.

Once you've registered with HackerOne, you create a user profile. Your profile information includes your name (if you choose to provide it), chosen user name, company name (if applicable), and if your choose, a profile photo, your location, and any other information you choose to include in the "About" field. We may display your profile information on our site where other users of HackerOne and visitors to our web site will be able to see that information.

If you are a Customer, in addition to your profile information, you may provide us with financial information, including your credit card or debit card information, or your banking information, in order to assist us in awarding Bounties, collecting Bounty Deposits, or collecting HackerOne Fees.

If you are a Finder, in addition to your profile information, you may need to provide us with other personally identifying information necessary for background and fraud checking purposes where required. This includes your date of birth, nationality, current and previous addresses, your social security number (or tax identification number), and for bounty award purposes, your banking, Coinbase, or PayPal information in order to allow us to pay you monetary Bounty awards from Customers. In addition, in order that we can award any "swag" where available, we may ask for information such as a mailing address, telephone number, and t-shirt size.

In addition to personal information we collect, your profile may be publicly associated with any Vulnerability Reports and content that you submit, in the event these are published on the Services.

1.2. Information We Automatically Collect

We receive some information automatically when you visit HackerOne. This includes information about the device, browser, and operating system you use when accessing our site and Services, your IP address, the website that referred you to HackerOne, which pages you request and visit, and the date and time of each request you make to HackerOne. If you visit HackerOne when you are logged into your account, we also collect the user identification number we assign you when you open your account.

HackerOne uses cookies and similar technologies to collect information about your access to and use of our site and Services and may sometimes partner with third-party services who may use various tracking technologies to recognise your computer or mobile device each time you visit HackerOne. The following types of cookies are used:

  • Strictly necessary cookies
    <p>When you log in to your account, HackerOne will place cookie(s) for the purpose of creating the session, knowing when you're logged in, and recognizing you as the same authenticated user across accounts. These cookie(s) contain an encrypted user identifier.</p>
    </li>
    <li><em>Functionality cookies</em>
    <p>We use functionality cookies to recall information you provide, the choices you make, or the settings you select to optimize features for you across the Services or to remember changes you have made to customize the Service to you.</p>
    </li>
    <li><em>Analytic cookies</em>
    <p>We and our partners use cookies to collect statistical information about the use of our site and the Services to log what parts of the Services are visited and what you interact with. We use Google Analytics who collect information by reference to the cookie ID and IP of your browser and provide HackerOne with aggregated statistics about the use of our Services. We use this information to measure traffic and improve how our site and Services perform. This information may be transmitted to and stored on the servers of Google. You can opt-out from the collection of this information by Google by downloading and installing a browser plug-in at <a href="https://tools.google.com/dlpage/gaoptout" rel="noopener">https://tools.google.com/dlpage/gaoptout</a>.</p>
    </li>
    <li><em>Advertising and retargeting cookies</em>
    <p>We may use third-party services such as Google AdWords and Google DoubleClick to manage and provide certain services or features including targeted online marketing on our behalf on our site or across the Internet, in addition to other services such as Marketo and Bizible who use cookies to link visits to our site and Services to information a visitor chooses to provide on our behalf through the Services.</p>
    
    <p>We may use Twitter, LinkedIn, and Facebook pixels on certain site pages to learn whether you interact with online content and measure the effectiveness of our social media campaigns.</p>
    </li>
    

Most browsers include an option to clear existing cookies or reject new ones. More information about managing storage settings across different browsers can be found at www.allaboutcookies.org. If you prefer not to use any cookies, you can also opt out in some browsers by turning on "Do Not Track" or visiting https://www.aboutads.info/choices and https://www.youronlinechoices.com to opt out directly. Certain third parties we work with also offer their own opt-out tool including Google https://tools.google.com/dlpage/gaoptout. However, if you reject new cookies, portions of HackerOne will not function as intended. We currently do not support Do Not Track browser settings.

2. How We Use or Disclose Your Information

We may use Your Information when needed to provide and keep the site and Services running and prevent abuse. Your Information is used internally in this respect, to provide our Services under our Terms with you, for the purpose of our legitimate business interests, to comply with our legal obligations or with your consent. In particular, we use your information:

  • to allow us in our legitimate interest, to support, sign-in and verify access by registered users;
  • to establish and administer commercial relationships and transactions under our General Terms and Conditions;
  • to send you marketing communications, including via email and SMS in compliance with applicable laws and in accordance with your preferences, that we believe may be of interest to you;
  • to contact you about your account or reply to any communications you send us;
  • to troubleshoot, in our legitimate interest, any problems with your account or the Services;
  • to review and enforce compliance with our General Terms and Conditions and guidelines and policies; and
  • to analyze the use of HackerOne in order to understand how we can improve our content and services.

In addition, we employ other companies and people to perform tasks on our behalf in supporting the Services. This includes but is not limited to, providers of hosting, payment processing, document and content management tools, providers of software and services that allow integration with other of our systems such as for verification, ticketing, and escalation purposes, and providers of analytic data services. We may share Your Information with them as needed to provide the Services to you. Unless we tell you differently, our agents do not have any right to use any personal information we share with them beyond what is necessary to assist us.

Where there is agreement by Customers and Finders that Vulnerability Reports are publicly disclosed, then certain information about the report associated with your profile may be published through our Services.

Except as otherwise described in this Privacy Policy, we will only share Your Information with your consent, and after letting you know what information will be shared and with whom. We do not sell Your Information to any third party.

When you enter into a financial transaction related to our Services (to pay us or to be paid by us), we may, directly or through a third-party payment services provider, collect the financial information about you described above, all of which will be treated as Your Information for purposes of this Privacy Policy. We will use this information solely in connection with the financial transaction and will not share this information with third parties, except to the extent necessary to complete the financial transaction or comply with applicable law.

For Finders who participate in certain Programs of particular Customers, to the extent described in the Program Policies, HackerOne may share contact information about those Finders (name, company name (if applicable), and email address) to allow those Customers to contact those Finders to allow them to interact directly.

For Finders who choose to submit a Vulnerability Report directly to a Customer outside the HackerOne Platform, HackerOne may provide that Customer with a reference to your public profile information.

We may share aggregated information and non-identifying information with third parties for industry research and analysis, demographic profiling and other similar purposes.

Information that we collect from all of our users, including Your Information, is considered to be a business asset. Thus, if we are acquired by a third party as a result of a transaction such as a merger, acquisition or asset sale, or if our assets are acquired by a third party in the event that we go out of business or enter bankruptcy, some or all of our assets, including Your Information, may be disclosed or transferred to a third party acquirer in connection with the transaction. If in this respect Your Information will be used for any purpose not covered by this Privacy Policy, you will receive prior notification of the use of Your Information for the new purpose(s) and where relevant, your consent obtained for those new purposes, unless such processing is otherwise required or permitted by law.

We will cooperate with government and law enforcement officials or private parties to enforce and comply with the law. We may disclose Your Information to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate: (i) to comply with law, regulation or valid legal process (including orders and subpoenas); or (ii) to protect our property, rights and safety and the property, rights and safety of a third party or the public in general. If we are going to release Your Information, our policy is to provide you with notice unless we are prohibited from doing so by law or court order (including orders under 18 U.S.C. § 2705(b)).

3. Information Storage

With the exception of access logs, which are retained for two years and then purged from our systems, our Information will be retained for the duration of your account and may be retained for a period after this time as necessary and relevant to our legitimate operations, our General Terms and Conditions with you, and in compliance with applicable law obligations. This may include retention necessary to meet our tax reporting requirements or for licensing purposes, as well as time required to enforce our rights or identify, issue, or resolve legal proceedings.

You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible on our site and Services. However, for the purposes mentioned above, we may need to retain information within our internal systems. In addition, public reports and associated information that you've submitted will still be available on HackerOne.

4. Security

HackerOne will use reasonable efforts to secure information submitted to us by our users. We use encryption (HTTPS/TLS) to protect data transmitted to and from our site. However, no data transmission over the internet is completely secure, so we cannot guarantee the absolute security of this data. You use the Services at your own risk, and are responsible for taking reasonable measures to secure your account (such as keeping your password secret).

5. Children

We welcome children to submit reports to HackerOne. However, applicable laws may restrict our ability to collect personal information from children.

The definition of a child varies by jurisdiction. In the United States, this section applies to you if you are under 13. In most member states of the European Union, this applies to everyone under 16.

HackerOne is not directed to minors. If you are considered a child and want to submit a report to us, please ask your parent or guardian to submit it for you. Please note that any bounty payments that may apply are only issued to an adult. If we become aware that we have collected personal information from a child in conflict with applicable law, we will delete that information.

6. International Transfer

Your Information may be transferred to, and maintained on, computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide Your Information to us, we may transfer Your Information to the United States and process it there. Where we transfer Your Information, we will take all reasonable steps to ensure that your privacy rights continue to be protected.

In the case of transfers of data out of Europe, we have committed to comply with the EU and Swiss Privacy Shield frameworks. For more information about our Privacy Shield commitment please see below and our Privacy Shield Notice.

Our Commitment to the Privacy Shield

Adherence to the Privacy Shield Frameworks

HackerOne complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. HackerOne has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. For more information see our Privacy Shield Notice. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

7. Privacy Rights

We respect the rights you may have to request the Information held by us and where relevant, to receive a copy of this information or to receive that information in a commonly used electronic format (or have it provided to another service provider where feasible). You may also have the right under applicable law to request the correction or erasure of Your Information, to seek to object to the further processing under certain circumstances of Your Information or to request that specific processing is restricted while we verify or investigate your concerns with this information.

As mentioned above you have the right to object to certain further processing which includes direct marketing or to request a list of any third parties in the past calendar year to which we may have disclosed your information for direct marketing purposes along with details of the categories of information shared with those third parties. You can submit a request by email or by writing to us at the "Contact" address below.

If you remain unhappy with a response you receive, you can also refer the matter to a relevant data protection supervisory authority.

8. Changes to This Privacy Policy

We may revise this Privacy Policy from time to time. The most current version of the Privacy Policy will govern our use of your information and will always be at https://www.hackerone.com/privacy. If we make changes that we believe will substantially alter your rights, we will prominently display a notice on our site before we make those changes and may attempt to notify you by sending an email to the address specified in your account. In certain cases, we may also seek your consent to further use of your information where this is required.

9. Contact

HackerOne welcomes questions, concerns, and feedback about this Privacy Policy. If you have suggestions for us, feel free to let us know at privacy@hackerone.com. Or by writing to us at:

Attn: Privacy Officer
HackerOne, Inc.
300 Montgomery Street, 12th Floor
San Francisco, CA 94104
United States of America

Or by contacting our EU representative:

Attn: Privacy Officer
HackerOne B.V.
Stationsweg 3F
9726 AC Groningen
The Netherlands