Community Edition

HackerOne Community Edition

Security testing that matches your priorities and needs.

Hacker-Powered Security for the Open Source Community

Hacker-Powered Security for the Open Source Community

Open source software powers HackerOne. It powers our software, our infrastructure, and our model for engaging with our community. As part of our mission to make the internet safer, we want to make it easier for your open source project to remain secure.

As such, we offer a version of our popular HackerOne Bounty program for free to eligible open source projects. Use HackerOne to coordinate vulnerability reports, pay out bug bounties, and more.

Security by the Community, for the Community

Security by the Community, for the Community

HackerOne Community Edition gives you access to the most trusted hacker-powered security platform. With HackerOne, your contributors, users, and hackers will have a safe, place to submit vulnerability reports, making it easier for you to keep your project secure.

Features

lock
Security Page

Your Security Page declares your project's vulnerability coordination policy to hackers.

extension
Hacker Reputation

Each hacker's historic performance on the platform. Helpful for building community.

email
Private Hacker Invite

Start by inviting a few trusted hackers in a private program by reputation or username.

chat
Discussions

Integrated tools for discussing submitted vulnerabilities from your community.

checklist
API

Utilize our API to sync your data with your internal data analytics tool.

analytics
Analytics

Query more advanced metrics to track metrics measuring your program's ROI.

search
Duplicate Detection

Intelligent Pattern matching finds common issues and identifies duplicate reports.

monetization_on
Free

Entirely free for eligible open source projects*.

* Free HackerOne Enterprise subscription. If you pay out cash bounties, HackerOne will charge a 5% payment processing fee.

Trusted By

Requirements

  • Open Source Projects
    Projects in scope must only be Open Source projects that are covered by an OSI license.
  • Be Ready
    Projects must be active and at least 3 months old (age is defined by shipped releases/code contributions).
  • Create a Policy
    You add a SECURITY.md in your project root that provides details for how to submit vulnerabilities (example).
  • Advertise Your Program
    Display a link to your HackerOne profile from either the primary or secondary navigation on your project’s website.
  • Be Active
    You maintain an initial response to new reports of less than a week.

Community Edition Application

To apply, submit the form below and include the name of your project, your project website, and share some details about why you would like to receive HackerOne Community. Please note: all approvals at the discretion of HackerOne and decisions are final.

FAQ

Do I need to host HackerOne Community Edition myself?

No. We provide the Community Edition as a SaaS (software as a service) offering. This means no setup or deployment is required. You will be all good to go!

How long will the Community Edition be available for free?

We will provide the platform for free as long as your project is actively using it and maintaining the 1-week response time requirement. If you stop using the platform or stop being responsive, we may revoke this offer.

Are there any hidden costs?

No. HackerOne’s Community Edition is entirely free for your project to use.

What is the difference between HackerOne's Community Edition and other HackerOne product editions?

The primary difference is that with HackerOne’s paid product offerings, we provide dedicated customer support and program assistance. While we provide basic support (primarily around setup/configuration), paid support is not included with HackerOne’s Community Edition.

Is HackerOne's Community Edition itself open source?

No.

Can I integrate my project's single sign-on service to authenticate with HackerOne's Community Edition?

If your project’s SSO provider supports SAML 2.0, it can be easily used for authentication.

Can I export all data from HackerOne Community Edition in case I want to move to a different platform?

HackerOne allows you to export your data anytime you want. Your data belongs to you, and you can take it with you.

How long will it take for my application to be reviewed?

Most reviews are completed within 1 business week.

What are you looking for when approving an application?

Our primary goal is to ensure that we are providing HackerOne's Community Edition for projects that are (a) genuinely Open Source, (b) are non-commercial, (c) will be able to run an effective security program, and (d) will utilize it as intended.

Is my open source eligible if a company invests in building it?

It depends. If the application is for the betterment of the Open Source project and will be operated and run to serve that project, the application will likely be accepted. If a company is applying to save on the costs of buying HackerOne's paid product offerings, we probably won't accept it.

If my application is rejected, who can I talk to?

All applications will receive a response from us, and you are welcome to respond to that email — there will be a human behind it who can respond to your specific queries. Please note though, all decisions are final and are at the discretion of HackerOne. If, however, you feel you were rejected in error, please drop us a line.

Where can I learn more about using HackerOne's Community Edition?

We have a library of useful support resources at https://docs.hackerone.com.

Can I integrate HackerOne's Community Edition with my code hosting platform (e.g. GitHub/Gitlab)?

We support a number of different integrations, and we're always adding new ones regularly.

Do I have to pay hackers for vulnerability reports?

No, you can simply use HackerOne's Community Edition for vulnerability submission and coordination. Paying hackers for bounties is an option.

How do I put money into HackerOne's Community Edition as a budget for bounties and then pay hackers?

You can either attach a credit card to your account or send HackerOne money as a prepayment for any bounties, and we will 'credit' the program for that amount. This provides a great way to reward hackers financially for approved and validated reports.

Does HackerOne charge transaction fees for bounty payments?

The 5% payment processing fee (greatly reduced for Community Edition programs) goes towards compliance checks, payment fulfillment, and year end 1099. This fee is on top of the bounty you award to Hackers. For example, if you decide to award a $1,000 bounty, the total cost to you will be $1,050, with $1,000 going to the hacker and $50 to HackerOne.