Code of Conduct
By participating in programs on HackerOne, all Finders agree to help empower our community by following the HackerOne Code of Conduct (CoC). The CoC is in addition to the General Terms and Conditions and Finder Terms and Conditions that all Finders must agree to when creating an account.
This CoC sets out guidelines for engaging on the HackerOne platform and describes HackerOne’s potential actions if a violation occurs. A program may include additional rules of engagement or conduct in their program policy and may enforce those rules with program-level sanctions, so Finders should always review the program policy before engaging on a particular program.
Platform interactions should at all times be respectful and communicated in a professional manner and tone with a view to being beneficial to the report validation process. Please do not
Create unnecessary noise on reports by spamming report comments or submitting support tickets for updates
Leave rude comments
Conduct yourself unprofessionally at Live Hacking Events or other in-person events where you are a representative of HackerOne
Threaten disclosure, in particular related to private programs
These actions decrease triage efficiency and are not beneficial to you as the Finder or the program
HackerOne does not tolerate any discrimination based on age, ethnicity, level of experience, nationality, personal appearance, race, religion, sexual or gender identity and orientation, physical appearance, political beliefs, or other protected classes.
Hate speech, profanity, or any aggressive threats in report comments, support tickets, or other communication methods (including related posts on social media and other platforms) will not be tolerated in any form. If it is confirmed that a Finder account is tied to actions which amount to a breach of our CoC, enforcement action may be taken.
Abusive behavior at Live Hacking Events or other in-person events where you are a representative of HackerOne is a violation of our CoC and will lead to a ban from participation in future Live Hacking Events, and we may take additional enforcement action on the HackerOne platform.
Finders must not perform unsafe testing without prior authorization. This includes (but is not limited to): exploiting a vulnerability beyond what is necessary to show impact (i.e. accessing excessive amounts of customer internal information, dumping a database, etc.), gaining access to and using accounts or production credentials not approved per the program's policy, altering production or database information or causing a Denial of Service, or otherwise impacting the stability of customer systems outside of posted testing policies.
Do not expose the existence of a private program on the HackerOne platform. This includes program name, scope, vulnerability information, bounty structure, account information, or any other detail that could identify the program. Such exposure to anyone who is not a HackerOne employee or a member of that program may result in enforcement actions. This includes word of mouth. Do not collaborate with other Finders without the express permission of the private program.
Disclosing vulnerability information without a clear, good faith effort to follow industry standard coordinated vulnerability disclosure practices is not acceptable. Do not disclose vulnerability information without exhausting all good faith efforts to coordinate with the organization and/or program over a reasonable period of time. Confidential information or data belonging to the program or their users should never be published without coordinating with the organization or program. This encompasses social media, blog posts, word of mouth, press, and other disclosure methods. When in doubt, communicate, communicate, communicate.
Only use approved communication channels to discuss vulnerabilities submitted to HackerOne. Unless the program has intentionally provided an alternative contact method to you in their program policy, contacting security teams “out-of-band” about reports submitted on HackerOne is a violation of this CoC. The HackerOne platform is the only approved communication channel, except where approved alternative communication channels are outlined within the program policy page or otherwise notified by the program.
Duplicate account abuse: Any case where multiple HackerOne user accounts are used to circumvent a sanction against a user account, or to create an unfair advantage on the platform.
Reputation farming: Any activity that creates an unfair gain in reputation. This includes sharing account access and submitting the work of other Hackers, as well as inappropriate requests for closure status changes for the purpose of maintaining reputation. This also encompasses cases where Finders may attempt to social engineer HackerOne staff into assisting with the launch of an illegitimate program.
Do not use intellectual property without prior authorization. This includes, but is not limited to the unauthorized use of other Finders work.
Do not attempt to, without authorization, socially engineer another party through impersonation of a HackerOne employee, another Finder, a program member, or a security team.
Finders are solely responsible for the tools that they use, which must be lawful and legally acquired. If it is brought to HackerOne’s attention that illegal or counterfeit software was used, HackerOne will be required to take appropriate action, including potential sanction under this Code of Conduct.
Do not attempt to obtain bounties, money or services by coercion. Individual cases of extortion or blackmail may be escalated based on severity and may amount to a criminal offense.
Do not attempt to circumvent a program or platform ban by creating new accounts. Doing so will result in an immediate permanent platform ban.
Enforcement Actions
The HackerOne Finder Code of Conduct is enforced in accordance with the action guidelines below.
Please note that HackerOne reserves the right to escalate or de-escalate the severity of enforcement and sanctions in accordance with the nature of the offense and irrespective of previous offenses. Depending upon the severity of the offense, sanctions may include, without limitation, longer temporary bans, immediate removal from HackerOne Clear and HackerOne Clear Programs, exclusion from Live Hacking Events, and/or a permanent ban from the HackerOne Platform.
| Incident | First Offense | Second Offense | Third Offense | Fourth Offense | Fifth Offense | Sixth Offense |
|---|---|---|---|---|---|---|
| Unprofessional Behavior | Educational | 1st Warning | 2nd Warning | Final Warning | Temporary Ban (12 months) | Permanent Platform Ban |
| Abusive Language/Harassment | Final Warning | Temporary Ban (12 months) | Permanent Platform Ban | |||
| Service Degradation/Unsafe Testing | Educational | 1st Warning | 2nd Warning | Final Warning | Temporary Ban (12 months) | Permanent Platform Ban |
| Unauthorized Disclosure: Private Programs | Final Warning | Permanent Platform Ban | ||||
| Uncoordinated Vulnerability Disclosure | Final Warning | Permanent Platform Ban | ||||
| Contacting Program Teams Out-of-Band | 1st Warning | 2nd Warning | Final Warning | Temporary Ban (12 months) | Permanent Platform Ban | |
| Reputation Farming/Duplicate Account Abuse | 1st Warning | 2nd Warning | Final Warning | Temporary Ban (12 months) | Permanent Platform Ban | |
| Extortion/Blackmail | Permanent Platform Ban | |||||
| Theft of Intellectual Property | Final Warning | Permanent Platform Ban | ||||
| Social Engineering | Final Warning | Permanent Platform Ban | ||||
| Circumventing a Ban | Permanent Platform Ban |
Timeline of warnings: When a warning is issued in accordance with this Code of Conduct, HackerOne considers that warning to be applicable for 12 months. Warnings which are over 12 months old expire and are not typically assessed when reviewing the severity of new warnings. Depending upon the severity of the offense, previous warnings may still be taken into consideration.
See something, say something: If you see a Finder violating these rules, request Mediation Assistance via the HackerOne Support Portal here. If you need help on a report of your own, you can request mediation directly from the report in question.
Note: HackerOne may update this Code of Conduct from time to time, based on industry standards and best practices. We will endeavor to provide notice of any such update. Enforcement actions are taken at HackerOne’s sole discretion. By participating on the HackerOne platform, you acknowledge and agree to this Code of Conduct in effect from time to time