Our customers trust us to help them protect their most valuable assets by working with hundreds of thousands of vetted hackers.
Those hackers also trust us to provide a fair, safe, and rewarding platform for them to report potential security vulnerabilities. HackerOne, and hacker-powered security itself, is built on trust. That trust must be earned through transparency, security, privacy, compliance, and more. We start with the belief that no organization is 100% secure. Then we do everything we can to make your organization and ours as secure as possible.
We ensure our data collection and handling practices comply with the General Data Protection Regulation (GDPR) and its rules on data protection, privacy, and transfer. Our continued efforts include appointing a privacy officer, implementing policies and procedures, entering into a Data Processing Addendum with our customers and vendors, providing a list of data subprocessors, training all internal employees on privacy, and reviewing these practices annually with a third-party to ensure they remain effective and current.
HackerOne is GDPR compliant.
We adhere to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, which were designed by these respective governments to help global companies comply with the various data protection requirements. The Privacy Shield covers how participating organizations use and treat personal data received from the EU, the UK, and Switzerland.
We use a Data Processing Addendum (DPA) to ensure adequate safeguards are put in place to protect customer personal data processed by HackerOne. The DPA obliges us to implement appropriate security measures, limit access to personal data, alert customers to incidents and data requests involving their data, and more.
We are working towards compliance with the California Consumer Privacy Act (CCPA), which outlines privacy requirements related to data collection, storage, access, and more. The compliance deadline is January 1, 2020.
Our customers trust us with critical data contained within vulnerability reports and related to their technologies and security efforts. We work hard to ensure every bit of data is safe and protected.
We also run our own vulnerability disclosure and bug bounty programs, available at https://hackerone.com/security. We believe in transparency, so reported vulnerabilities are publicly disclosed once confirmed and resolved.
bcrypt(15, salt, strcat(password, sha512(app-token, env-token))).
If you have any questions about our security efforts or suggestions on how HackerOne could be improved, please let us know at firstname.lastname@example.org.
As part of our commitments to our customers, we further commit to specific Data & Information Security Terms. These cover policy, security, management, incident response, and more to detail how we protect customer data.
We provide our users with a service, and they look to us to ensure we have adequate internal controls over our systems and their data.
We’ve engaged respected third-party firms to audit our infrastructure and security practices, resulting in a System and Organization Controls (SOC) 2 Type II audit report, as well as ISO 27001 certification and UK Cyber Essentials certification.
The HackerOne Platform runs on Amazon Web Services (AWS). We recommend you also review their compliance information at aws.amazon.com/compliance.
SOC 2 is a means for ensuring a service provider adequately secures customer data, and the SSAE 18 audit standard assures customers that a provider’s security apparatus is working smoothly. Our SOC 2 Type II report covering the security, availability, and confidentiality trust service principles is available under NDA to current and prospective customers, but our SOC 3 report is available here for anyone to review.
ISO 29147 provides requirements on the disclosure of vulnerabilities in products and services. We are in compliance with these requirements and can help our customers comply as well.
ISO 30111 provides guidelines for how to process and resolve potential vulnerability information in a product or online service. We are in compliance with these requirements and can help our customers comply as well.
The Vendor Security Alliance (VSA) is a coalition of companies committed to improving internet security. They provide a questionnaire to ensure vendors have appropriate security controls in place. Our VSA questionnaire is available upon request.
The PCI Security Standards Council helps develop and implement security standards for account data protection. We do not store, process, and/or transmit cardholder data, and instead use Stripe, a third-party processor certified as a PCI Level 1 service provider. Click here to learn how Stripe protects credit card data. For our part in accepting credit cards, we have completed the PCI DSS Self-Assessment Questionnaire and the related Attestation of Compliance, both of which are available upon request.
Section 508 is a U.S. federal law mandating that all information and communications technology used by the government be accessible to people with disabilities. Our platform supports or partially supports this requirement, details of which can be found in our Voluntary Product Accessibility Template (VPAT).
We believe all technology contains vulnerabilities and the public plays a crucial role in identifying these gaps.
Since we are a technology company, we encourage the public to seek and report potential security vulnerabilities in our technology, and we even use our own technology to facilitate this process. That includes working with them to resolve the issue and ensuring they are fairly compensated for their discovery.
We also believe in transparency when it comes to our security, and that public disclosure not only reassures our customers, it makes the internet safer for everyone. When valid vulnerabilities are discovered in our technology, they are publicly disclosed once confirmed and resolved. You can see those disclosures on our hacktivity page, which shows information from our vulnerability disclosure and bug bounty programs.
Transparency also extends to our platform uptime, incidents, and service level agreements, details of which are available on our status page.
If you have other questions about our privacy and security efforts, compliance with standards, disclosure policy, bounty program, or other areas of trust, please contact us today.
If you’d like assistance building or improving your own security apparatus, contact our sales team today.Contact Us