We've built HackerOne from the ground up with security as our top priority.
Even so, we believe that all technology contains bugs and that the public
plays a crucial role in identifying these bugs. If you believe you've found a
security bug in our service, we'll gladly work with you to resolve that issue
and ensure you are fairly compensated for your discovery.
????Important for reporting functional bugs : if you are looking to report a
non-security-related bug in HackerOne, please submit here
???? Helpful reconnaissance data
HackerOne is providing everybody with useful information that may help you
find more security vulnerabilities in our systems. You can find all the
information in this repository __. It contains all endpoints on HackerOne.com, our GraphQL schema,
planning to update the information regularly to give you insight into new
features we're building and give you faster access to new attack surface.
You do not have to submit reports in English. Feel free to report anything in
the following languages if you are more familiar with them:
- ???????? French
- ???????? German
- ???????? Dutch
- ???????? Italian
- ???????? Russian
- ???????? Finnish
- ???????? Swedish
- ???????? Hindi
- ???????? Marathi
- ???????? Spanish
- ???????? Portuguese
- ???????? Nepali
- ???? Frisian
We are working on expanding our language base as we progress.
We believe in transparency about our security, so any valid vulnerabilities
discovered are always publicly disclosed once
confirmed and resolved.
- Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.
- All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.
- This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.
- We utilize a strict Content Security Policy __and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).
- We encrypt all network communications with SSL/TLS accompanied with Perfect Forward Secrecy __and HTTP Strict Transport Security (HSTS) __, including being HSTS preloaded __in most major browsers.
- All requests pass through multiple rate limiting methods to protect against brute-force attacks.
- We don't store passwords: we store
bcrypt(15, salt, strcat(password, sha512(app-token, env-token))).
- Passwords must be a minimum of 8 characters and pass a zxcvbn __strong entropy check.
- User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from Same-origin Policy __attacks.
- Two-factor authentication, IP whitelisting, and SAML are available to further restrict access to accounts.
- Role-based access control allows for granular permissions for team members.
- No credit card information is stored on our servers. We use Stripe __, a PCI Level 1 service provider.
Infrastructure & Operational Security
- All our infrastructure is hosted on Amazon Web Services in SOC 1, 2, and 3 __and ISO 27001 __certified datacenters.
- We have undergone a SOC 2 Type II audit of our own platform.
- Network segregation is aggressively deployed between services and environments.
- Databases, files, and backups are encrypted at rest using AES-256.
- All infrastructure access requires two-factor, multi-stage authentication.
- We leverage Cloudflare __to supplement our infrastructure's resilience.
- Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.
- All employees undergo a criminal background check upon hiring.
… and more. We're constantly seeking to improve. If you have any questions on
our security or suggestions on how HackerOne could be improved, please let us
know at email@example.com.
The following categories of reports are considered out of scope for our
program and will not be rewarded:
- Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.
- Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).
- Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.
- Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated "External link" box.
- Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.
- Reports relating to invitation expiration dates.
- Reports relating to self-DoS issues (as in, only the person doing the action is denied service).
- Reports relating to missing rate limiting of our API __. We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.
- The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.
- The ability to influence reputation/signal/impact via socially engineering a program's team members.
- Reports which disclose the existence of private programs that are using SAML.
- Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.
Consequences of Complying with This Policy
We will not pursue civil action or initiate a complaint to law enforcement for
accidental, good faith violations of this policy. We consider activities
conducted consistent with this policy to constitute “authorized” conduct under
the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim
against you for circumventing the technological measures we have used to
protect the applications in scope.
If legal action is initiated by a third party against you in connection with
your participation in our program and you have complied with HackerOne’s bug
bounty policy, HackerOne will take steps to make it known that your actions
were conducted in compliance with this policy.
Please submit a HackerOne report to us before engaging in conduct that may be
inconsistent with or unaddressed by this policy.