We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.

We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know.

?Important for reporting functional bugs: if you are looking to report a non-security-related bug in HackerOne, please submit here instead.

HackerOne program sandbox

===============

HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go here. You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.

Eligibility and Responsible Disclosure

===============

We encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:

• Follow the Vulnerability Disclosure Guidelines. As our platform lays out, please read and follow the Vulnerability Disclosure Guidelines.

• Respect all our users' privacy. HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.

• Bend, but not break. When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.

• Vulnerabilities that disclose the existence of a launched private HackerOne program (not a "sandboxed" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.

Public disclosure

===============

We believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.

Providing Evidence

===============

If you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by using this form. This page is only available from the compromised HackerOne employee account.

Best Practices or Hardening

===============

On occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.

Scope Exclusions

===============

The following categories of reports are considered out of scope for our program and will not be rewarded:

• Temporarily out of scope as of June 12, 2020: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).

• Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.

• Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).

• Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.

• Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated "External link" box.

• Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.

• Reports relating to invitation expiration dates.

• Reports relating to self-DoS issues (as in, only the person doing the action is denied service).

• The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.

• The ability to influence reputation/signal/impact via socially engineering a program's team members.

• Reports which disclose the existence of private programs that are using SAML.

• Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.

• The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.

Common false positives

False positives will be closed as Not Applicable. This section will describe tactics to make sure the behavior you're observing isn't a false positive.

Existence of invite-only programs

HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is only a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is not a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.

| Program state | Program handle | ID | Node ID |

| ----- | ----- | ----- | ----- |

| Sandbox | @security-test-sandbox | 49806 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY= |

| Invite-only | @security-test-invite-only | 49807 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc= |

| Public | @security | 13 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM= |

| External program | @security-test-ep | 49803 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM= |

| External program + sandbox | @security-test-ep-sandbox | 49804 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ= |

| External program + invite-only | @security-test-ep-invite-only | 49805 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=

Other object identifiers that may be used for a proof of concept

You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.

| GraphQL ID | Class | ID | Note |

| ----- | ----- | ----- | ----- |

| Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ== | StructuredScope | 58579 | An asset belonging to @security-test-sandbox |

| Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg= | StructuredScope | 100578 | An asset belonging to @security-test-invite-only |

Consequences of Complying with This Policy

===============

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.

Please submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

{F285265}