Commercial Community Member (CCM) Terms and Conditions

Effective Date: May 11, 2026  

These Commercial Community Member Terms ("CCM Terms") are intended to support transparency, trust, and fair participation for all Community Members on the Platform.

These additional terms shall apply to any Community Member that creates a commercial account on the Platform ("Commercial Community Member Account" or "CCM Account") or that otherwise accesses the Platform for the purpose of participating in Programs and/or providing Community Member Submissions in a Commercial Capacity ("Commercial Community Member" or "CCM").

These CCM Terms supplement and form part of the Community Member Terms and Conditions. Capitalized terms not defined here have the meanings given in the Terms.

If there is a conflict, these CCM Terms govern only with respect to CCM activity and Commercial Community Member Accounts.

1. Commercial Community Members

1.1) Commercial Capacity

A Community Member acts in a Commercial Capacity where such Community Member:

a) is a corporation, limited liability company, partnership, or other legal entity; or

b) accesses or uses the Platform at the direction or under the supervision of, on behalf of, or as an agent or representative of a corporation, limited liability company, partnership, or other legal entity; or

c) receives compensation from a third party in connection with participation in Programs or use of the Platform, other than standard Rewards earned through the Platform.

A Commercial Community Member does not include an individual Community Member that: (i) partners or collaborates with one or more Community Members or (ii) forms and uses a legal entity (such as a limited liability company) to receive Rewards earned by such individual Community Member. For purposes of subsection (c) a Reward shall be deemed compensation from a third party where a Community Member is obligated to remit, assign, or share such Reward with a third party pursuant to a contractual or employment arrangement relating to the use of the Platform.

1.2) Designation

1.2.1) Commercial Community Members, or accounts for which HackerOne has a reasonable basis to believe are being operated by a Community Member in a Commercial Capacity, are required to use designated account types, profiles, disclosures, and/or labels provided by HackerOne to distinguish their accounts from individual, non-commercial Community Members.

1.2.2) HackerOne will provide written notification to Community Members that it reasonably believes may be non-compliant with these designation requirements, including the basis for such determination, and will provide a reasonable opportunity to such Community Members to correct such non-compliance or demonstrate that they are not operating in a Commercial Capacity.

2. Self-Identification, Transparency and Account Management

2.1) Mandatory Disclosure

2.1.1) Commercial Community Members must accurately self-identify as acting in a Commercial Capacity on the Platform and where reasonably requested by HackerOne, provide complete and up-to-date information, including, without limitation: legal name, jurisdiction of formation, and a list of users authorized to access the CCM Account.

2.1.2) HackerOne reserves the right to pause, suspend, or terminate any account which it reasonably suspects to be operating as a Commercial Community Member but has failed to identify as one, or properly disclose all CCM Account Users.

2.2) Commercial Community Member Account Owner

2.2.1) Commercial Community Members shall provide the identification details of at least one (1) designated owner of the CCM Account, who must be a legally authorized representative of the commercial entity or organization ("CCM Account Owner").

2.2.2) All CCM Account Owners shall complete an identity verification every twelve (12) months from the date the CCM Account is created.

2.2.3) All CCM Account Owners shall provide to HackerOne additional information reasonably requested by HackerOne to verify account identity, authority, and/or compliance with Applicable Law (e.g., KYC/AML requirements).

2.2.4) Subject to Sections 2.2.1, 2.2.2, and 2.2.3 and HackerOne's applicable onboarding and offboarding procedures, Commercial Community Members may add or replace CCM Account Owners at any time, provided that no CCM Account may have more than three (3) registered CCM Account Owners at any given time.

2.2.5) HackerOne reserves the right to pause the CCM Account and all applicable Commercial Community Member activity on the Platform pending the completion of all necessary onboarding and offboarding procedures by each CCM Account Owner or at any time the CCM Account fails to successfully register at least one (1) CCM Account Owner.

2.2.6) For a CCM Account to remain active, at least one (1) CCM Account Owner must be successfully and actively registered with the CCM Account. HackerOne reserves the right to pause, suspend or terminate any CCM Account in the event a CCM Account Owner fails, in HackerOne's sole discretion, to satisfy its obligations under the Terms or while using the Platform, including any applicable identity verification requirements.

2.3) Responsibility for CCM Account Users

Each Commercial Community Member represents and warrants that it:

a) is fully responsible for all activity conducted through its CCM Account or otherwise on its behalf on the Platform, including all activity by any individual it authorizes to access, use or be associated with its CCM Account (each, a "CCM Account User"), and shall maintain appropriate administrative, technical, and procedural controls to manage such access, use and affiliation; and

b) shall ensure that each CCM Account User:

i. complies with all eligibility, sanctions, export control, data protection and legal compliance requirements set forth in the Terms, including, without limitation, the Community Member Registration requirements;

ii. has successfully completed a background check, if required by Customer prior to Program participation;

iii. clearly discloses their status as a CCM Account User when participating in any Program; and

iv. does not submit, and does not attempt to submit, a duplicate or additional Submission to the same Program through any other account on the Platform while authorized to participate in that Program under the Commercial Community Member's CCM Account.

2.4) Acting for Third Parties

Commercial Community Members accessing or using the Platform on behalf of, or for the benefit of, a third party (including a client or customer) must disclose to HackerOne, and where required by a Program Policy to the relevant Customer, that they are acting on behalf of a third party in connection with Platform activity.

2.5) No Misrepresentation

Except as expressly permitted in writing by HackerOne or Customer, as applicable, Commercial Community Members are not permitted to represent or imply that they are:

a) affiliated, endorsed, certified, approved, or partnered with HackerOne;

b) acting on behalf of or as an agent or representative of HackerOne; or

c) acting on behalf of or as an agent or representative of a Customer.

3. Authority and Eligibility

3.1) Authority

3.1.1) Each Commercial Community Member represents and warrants that it has all requisite corporate power, authority, licenses, insurance, registrations, and approvals to enter into and be bound by the Terms, any applicable Program Policies, and any other terms, consents, policies and procedures relevant to accessing and using the Platform and participating in Programs or other services offered on or available through the Platform.

3.1.2) Each Commercial Community Member represents and warrants that each CCM Account Owner has been duly authorized to act on its behalf and to bind the Commercial Community Member to any terms, consents, policies and procedures relevant to accessing and using the Platform and participating in Programs or other services offered on or available through the Platform.

3.2) Eligibility

3.2.1) Commercial Community Members must comply with all Applicable Law and all eligibility, sanctions, export control, and legal compliance requirements set out in the Terms, as applicable.

3.2.2) Commercial Community Members shall immediately inform HackerOne upon reasonable suspicion or knowledge that any CCM Account user is no longer eligible to use the Platform, or lawfully act in the capacity of a CCM Account Owner.

4. Use of the Platform

4.1) General Restriction

Except as expressly permitted by HackerOne or by the applicable Program Policy, Commercial Community Members shall not, directly or indirectly:

a) use the Platform or Confidential Information or other non-public materials obtained through the Platform to develop or enhance any product or service that replicates or is substantially similar to the functionality of the Platform or competes with HackerOne's products or services;

b) access or use the Platform for the benefit of, or in collaboration with, any unauthorized third parties;

c) copy, scrape, harvest, extract, mine, analyze, or create derivative works from any data, content, workflows, reports, or materials obtained through the Platform; including for purposes of training, fine-tuning, or otherwise improving any machine learning models, automated systems, or similar technologies; or

d) assist, encourage, or permit any third party to do any of the foregoing.

These restrictions apply during the term of access and thereafter with respect to any Confidential Information or other non-public materials obtained through the Platform.

5. Conduct and Solicitation

5.1) No Solicitation

Commercial Community Members shall not, directly or indirectly, use the Platform to circumvent Program terms or to initiate or facilitate engagements that are intended to avoid Platform fees, protections, or Program requirements (including, without limitation, through messaging, profile generation, submissions, or Program participation). This includes:

a) Advertising, marketing, promoting, soliciting, recruiting, contracting with, or otherwise pursuing business relationships with any Customer or Community Member outside of the Platform;

b) diverting or attempting to divert any Customer or Community Member from engaging on the Platform;

c) initiating, encouraging, or facilitating communications intended to move transactions or engagements off of the Platform; or

d) assisting, encouraging, or enabling any third party to engage in any of the foregoing.

Nothing in this section restricts Commercial Community Members from maintaining independent business relationships outside of the Platform that are not initiated through or derived from misuse of the Platform.

5.2) Professional Standards

Commercial Community Members must comply at all times with the HackerOne Code of Conduct and all applicable Program Policies. Commercial Community Members must conduct themselves in a professional, lawful, and ethical manner and ensure that all communications and interactions on the Platform are accurate, complete, and not misleading, by statement or omission.

6. Branding, Trademarks, and Public Statements

6.1) Use of HackerOne Marks

6.1.1) Commercial Community Members may only use HackerOne's name, logo, trademarks, service marks, trade names, slogans, branding elements, or any confusingly similar designation ("H1 Brand Assets") in accordance with HackerOne's published trademark and logo usage guidelines ("H1 Brand Guidelines").

6.1.2) Except as expressly authorized in writing by HackerOne, Commercial Community Members are not permitted to use H1 Brand Assets in any press release, public announcement, marketing material, website, social media post, investor communication, case study, testimonial, or other public communication.

6.2) No Implied Affiliation

Commercial Community Members may not state, represent or imply any endorsement, partnership, affiliation, or certification by HackerOne without HackerOne's prior written approval.

6.3) Approvals

Any use of H1 Brand Assets not contemplated by the H1 Brand Guidelines requires HackerOne's prior written approval.

6.4) Customer Branding

Commercial Community Members may not use Customer names or logos, or publicize their participation in a Program, without the Customer's prior written approval.

6.5) No Expansion of Trademark Rights

Except as expressly authorized in writing by HackerOne, nothing in these CCM Terms grants additional rights to a Commercial Community Member to use H1 Brand Assets. All goodwill arising from any permitted use of H1 Brand Assets shall inure solely to the benefit of HackerOne.

7. Confidentiality and Third-Party Tools

Commercial Community Members must not input any HackerOne or Customer Confidential Information or other non-public information obtained from the Platform, including vulnerability details or credentials, into third-party AI tools unless expressly permitted by HackerOne or the Customer, as applicable.

8. Enforcement

8.1) Remedies

In addition to any rights under the Terms, HackerOne may suspend, restrict, or terminate Commercial Community Member access to the Platform, remove Commercial Community Member content from the Platform, or impose program-level limitations on Commercial Community Member for failure to comply with these CCM Terms.

8.2) Verification

8.2.1) HackerOne may, at any time, request information reasonably necessary to verify Commercial Community Member's compliance with these CCM Terms, including Commercial Community Member's identity and authority to use the Platform.

8.2.2) For the avoidance of doubt, these CCM Terms do not convert Commercial Community Members into employees, agents, or representatives of HackerOne or any Customer.

9. Dispute Resolution & Arbitration

9.1) Arbitration Procedure

To the fullest extent permitted by applicable law, any dispute, claim, or controversy between HackerOne and the Commercial Community Member arising out of or relating to a CCM's compliance with the Terms (including these CCM Terms), any CCM Account, a Commercial Community Member's use of the HackerOne Platform, or any services provided by a Commercial Community Member or any of their CCM Account users shall be resolved exclusively by final and binding individual arbitration as follows:

a) Commercial Community Members registered in the United States. If a CCM Account is validly registered in the United States, then the arbitration shall be administered by the American Arbitration Association ("AAA") in accordance with its Commercial Arbitration Rules. The Federal Arbitration Act ("FAA") shall govern the interpretation and enforcement of this arbitration provision. The seat of arbitration shall be Wilmington, Delaware, United States.

b) Commercial Community Members registered outside the United States. If a CCM Account is validly registered in a jurisdiction outside of the United States, then the arbitration shall be administered by the AAA's International Centre for Dispute Resolution ("ICDR") in accordance with its International Arbitration Rules. The seat of arbitration shall be London, England, and the arbitration shall be governed by the Arbitration Act 1996.

9.2) Arbitration Rules Generally

The arbitration shall be conducted in English by a single arbitrator. The arbitrator shall have exclusive authority to resolve any dispute relating to the interpretation, applicability, or enforceability of this arbitration provision, including any threshold question of arbitrability. All arbitration proceedings shall be conducted on an individual basis. HackerOne and Commercial Community Member waive any right to trial by jury and any right to participate in a class action, class-wide arbitration, representative action, or consolidated proceeding.

9.3) Arbitration Exceptions

Notwithstanding the foregoing, HackerOne or Commercial Community Member may seek injunctive or equitable relief in a court of competent jurisdiction for claims relating to (i) infringement or misuse of intellectual property rights or (ii) protection of confidential information or the security or integrity of the Platform. Any such court proceeding shall not constitute a waiver of the right to arbitrate any other dispute.