Last Updated: February 16, 2021
Certain capitalized terms used in this document are defined in the General Terms and Conditions found at https://www.hackerone.com/terms/general, which are incorporated by reference. This document shall form a part of the Terms.
- Policies and Procedures. HackerOne shall maintain written security management policies and procedures to prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, and availability of HackerOne information systems and/or Customer's Confidential Information. Such policies and procedures shall (i) assign specific data security responsibilities and accountabilities to specific individual(s); (ii) include a formal risk management program, which includes periodic risk assessments; and (iii) provide an adequate framework of controls that safeguard Customer's information systems, including without limitation any hardware or software supporting Customer, and Customer's Confidential Information.
- Security Evaluations. HackerOne shall engage one or more third parties to periodically (no less than annually) evaluate its processes and systems to ensure continued compliance with obligations imposed by law, regulation, or contract with respect to the confidentiality, integrity, availability, and security of Customer's Confidential Information within HackerOne information systems as well as the maintenance and structure of HackerOne's information systems. The results of these evaluations and any remediation activities taken in response to such evaluations will be documented and available to Customers upon request.
- Physical Security. HackerOne shall maintain appropriate physical security controls (including facility and environmental controls) to prevent unauthorized physical access to HackerOne information systems and areas in which Customer's Confidential Information is stored or processed.
- Visitor Access Logs. HackerOne shall maintain sign in access logs for visitors and guests and ensure that such visitors and guests are escorted while in the facility. In addition, these access logs shall be maintained in a secure location for three (3) months.
- Perimeter Controls. HackerOne shall maintain reasonable network perimeter controls such as firewalls at all perimeter connections. HackerOne shall periodically (no less than annually) evaluate its network perimeter controls.
- Vulnerability Management. HackerOne shall employ reasonable vulnerability management processes to mitigate data security risks to Customer's Confidential Information. These processes shall include mitigation steps to resolve issues identified by HackerOne, Customer, or any regulator, auditor, or other external constituent of either party.
- System Hardening. System configuration parameters shall include procedures to disable all unnecessary services on devices and servers. This practice shall at a minimum be applied to all systems that access, transmit, or store Customer's Confidential Information.
- Patch Management. HackerOne shall establish and adhere to policies and procedures for patching systems. Systems and applications used to access, process or store Customer's Confidential Information shall be maintained at current stable patch level.
- Anomaly Detection. HackerOne shall install commercially reasonable anomaly detection software, to include anomaly / intrusion detections and deviations from standard system configuration, on all systems used to access, process or store Customer's Confidential Information as well as other information that HackerOne hosts. In addition, definition files shall be updated regularly.
- Incident Response. HackerOne shall maintain formal processes to detect, identify, report, respond to, and resolve any event that compromises the confidentiality, availability, or integrity of Customer's data or service provider's systems ("Security Incidents") in a timely manner.
- Incident Notification. HackerOne shall immediately provide Customer with notification of any known or reasonably suspected breach of security relating to Customer Systems or Customer's Confidential Information. HackerOne will notify Customer immediately following discovery of any suspected breach or compromise of the security, confidentiality, or integrity of any Customer's Confidential Information. Written notification provided pursuant to this paragraph will include a brief summary of the available facts and the status of HackerOne's investigation.
- System Logs. For all systems that access, transmit or store Customer's Confidential Information, system logs shall be in place to uniquely identify individual users and their access to associated systems and to identify the attempted or executed activities of such users. All systems creating system logs shall be synchronized to a central time source. Reasonable processes shall be in place to review privileged access and identify, investigate and respond to suspicious or malicious activity. System log trails shall be secured in a manner to prevent unauthorized access, modification, and accidental or deliberate destruction. These logs shall be maintained in accordance with the retention requirements set forth in the Agreement or upon a mutual written agreement signed by both parties.
- Background Checks. HackerOne shall maintain processes to determine whether a prospective member of HackerOne's workforce is sufficiently trustworthy to work in an environment which contains HackerOne information systems and Customer's Confidential Information.
- Change Control Process. HackerOne shall maintain reasonable change control processes to approve and track all changes within HackerOne's computing environment. Substantive changes to the HackerOne production environment require a separate tracking and review process with additional authorizations.
- Protection of Storage Media. HackerOne shall ensure that storage media containing Customer's Confidential Information is properly sanitized of all Customer's Confidential Information or is destroyed prior to disposal or re-use for non-HackerOne processing. All media on which Customer's Confidential Information is stored shall be protected against unauthorized access or modification. HackerOne shall maintain reasonable and appropriate processes and mechanisms to maintain accountability and tracking of the receipt, removal and transfer of storage media used for HackerOne information systems or on which Customer's Confidential Information is stored.
- System Accounts. HackerOne shall maintain appropriate processes for requesting, approving, and administering accounts and access privileges for HackerOne information systems and Customer's Confidential Information. HackerOne personnel, who access systems that store, transmit or process Customer's Confidential Information shall be assigned individual system accounts to ensure accountability for access granted. This information is logged and stored in accordance with HackerOne’s Data Retention guidelines.
- Passwords. HackerOne shall implement appropriate password parameters for systems that access, transmit or store Customer's Confidential Information ("Related Systems"). HackerOne shall implement strong authentication services,complex passwords ("Passwords"), and Multi-factor Authentication (where applicable) for all network and systems access to Related Systems. Default manufacturer passwords used in HackerOne's products shall be changed upon installation.
- Third Parties. HackerOne shall ensure that any agent, including without limitation any third-party subprocessor or subcontractor, to whom HackerOne provides Customer's Confidential Information agrees to maintain reasonable and appropriate safeguards to protect such Customer's Confidential Information.