Companies on our platform want to hear from you about potential security vulnerabilities they might have overlooked. By joining HackerOne, you can hack on some of the most challenging and rewarding bounty programs. Hackers have earned more than $20 million (and counting) in bug bounties -- that's nearly 2x more than all other bug bounty platforms combined.
Whether you're just getting started or have been hacking for decades, join the HackerOne Community to work directly with over 900 security teams and learn from peers who have accumulated over 50,000 resolved vulnerabilities in total. You can hack on web, APIs, Internet of Things (IoT), Android/iOS and anything else worth protecting.
Hack all the things. Gain all the rep. The Leaderboard shows who the top hackers are all-time, as well as quarterly. So you can chart your rise and set your sights on attaining to the levels of the most prominent hackers. Gaining status and reputation means you’ll be invited to private programs, get access to juicier targets, learn from the amazing community, boost your reputation, and - ultimately - get paid!See The Leaderboard
We host live-hacking events in cities around the world, inviting the top hacking talent to join. We've paid out over $1,000,000 in bounties at our live-hacking events. Bonus rewards, new scopes, bounty multipliers and more. Private pool deck parties, thousands of dollars in custom swag, live musical performances, and the opportunity to network with other top hackers and meet the security teams of HackerOne and our customers.See what a live-hacking event is like
Hacker101 is a collection of videos that will teach you everything you need to operate as a bug bounty hunter. The material is available for free from HackerOne. Taught by HackerOne’s Cody Brocious. Cody is a security researcher and educator with over 15 years of experience. While best known for his work finding several vulnerabilities in locks used by the majority of U.S. hotels, Cody has worked on security for countless companies and products and has directed that expertise into Hacker101. Get started learning with hacker101 and let us know your progress #hacker101.
We’ve teamed up with Burp Suite to offer promising hackers the full capabilities that Burp Suite Pro offers. When you reach at least a 500 reputation and maintain a positive signal, you are eligible for 3-months free of Burp Suite Professional, the premier offensive hacking solution.Learn more
At HackerOne we want our hacker community to be successful. With this in mind, we want to ensure you all have access to great knowledge and education around hacking. Sure, we want you to use HackerOne to find interesting vulnerabilities and make some money, but that is just part of the picture. We are delighted to be giving away a free copy of Peter Yaworski’s excellent Web Hacking 101 e-book when you sign up to hack on HackerOne.
Sign-up for an account. You will need a name, username, and a valid email address. You can remain anonymous with a pseudonym, but if you are awarded a bounty you will need to provide your identity to HackerOne. Be sure to take a look at our Disclosure Guidelines which outline the basic expectations that both security teams and hackers agree to when joining HackerOne.Find a participating program. Read the Security Page closely, which will give you the information you need to participate in the program, including the scope of the program and reward expectations. Programs can offer thanks, swag, and/or bounties for valid reports; every program is different and it’s at the discretion of the program what sort of reward they offer, so be sure to check that out before you submit a report. Start hacking and submitting reports. Your reports should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept (POC). If you don't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone. If you’re not sure what a good report looks like, here are some tips.
Before you submit a security vulnerability, make sure to read through the program’s scope. The scope determines whether or not a company is interested in a particular vulnerability. Once you have confirmed the program will accept the vulnerability, be sure to submit the issue to the program.
A good report is made up of a few things — a descriptive title, a thorough explanation and proof of concept, and metadata. @nahamsec wrote a great guide on how to write a good report. You can read it here: https://support.hackerone.com/hc/en-us/articles/211538803-Step-by-Step-How-to-write-a-good-vulnerability-report.
A company will review the contents and triage the vulnerability. You can review the Response Efficiency metrics on a company’s policy page. This will help you determine how quickly a company responds, bounties and resolves the bug.
The hacker community is a group of tens of thousands of people that make the internet safer for everyone. A lot of us are learning new things every day. In order for us to excel and discover new techniques and entire vulnerability classes, we try to share as much information as possible. This is often done through blog posts, how tos, CTF challenges, public disclosure, or a simple tweet. This is one of the things that makes this such an amazing community!
Your profile displays three metrics - your reputation, signal, and impact. On HackerOne, you get reputation for every report you submit. The higher the severity, the more reputation you’ll gain. If you submit invalid reports, your reputation score will go down. Reputation cannot go below zero. Your signal is a number between -10 and 7 and represents the average reputation you gained or lost per report. Impact ranges from 0 to 50 and is the average reputation you gained for the severity of the report. All three metrics are used in the HackerOne invitation calculation for private programs. Here’s a blog post about how the invitation system works.
Hacktivity is the front page of our community showcasing select activity regarding vulnerabilities (once disclosed), hackers, programs, and bounty awards. In this article, we'll answer the most frequently asked questions regarding Hacktivity.
To qualify for Hacktivity, the activity must occur within a public program. It then would show up if any of the following criteria is met:
A Hacker has been "Thanked" (Vulnerability Resolved);
A Hacker has received a bug bounty;
A Hacker has has received swag;
A Vulnerability Report has been publicly disclosed.
This means a closed report that is not public yet would appear (with redacted title) if it was resolved and/or has awards. It also means a report that had been resolved, re-opened, and closed as informative or any other closed state would also appear.
Your personal hacktivity feed on the profile follows the same rule.
On the Popular page, activities are ranked primarily by their aggregated upvotes divided by a power of the time since they were last updated on Hacktivity. The vote is weighted slightly more if it comes from a hacker with high Signal. Each activity gets an initial boost if it is resolved and/or receives an above average bounty.
The New page is ordered chronologically. A previously appeared vulnerability goes back to the top if any of the activities happens: closed as resolved, awarded with bounty, awarded with swag, or publicly disclosed.
Yes -- all you need is an account! However, you can only upvote once on each activity.
You're able to see the top ten hackers (ranked by Signal) voted on an activity when hovering over the upvote count.
Not yet, but you can certainly retreat your upvote. If you feel strongly about downvoting, feel free to send feature request to us.