H1 is a place for collaboration and mutual respect between the developers of software and hackers. The following are not tolerated and will lead to banning on platform.
If you would like to request Mediation, each license level includes a specific number of mediation support requests as a Professional or Enterprise customer.
- Open the report you'd like to request HackerOne mediation support for
- Scroll to the bottom of the report
- Click "Report Abuse"
- Select "Request Mediation"
- This triggers a workflow for your HackerOne team to reach out to both your team and the relevant hacker.
We do not tolerate any communication involving the HackerOne platform that manipulates a developer by withholding information about a vulnerability. This includes:
- Demanding a bounty or reward in exchange for vulnerability information
- Media threats to disclose an unresolved vulnerability if no bounty is offered
- Insinuating that you have other vulnerabilities waiting until a bounty is received
These sorts of tactics put a developer in an uncomfortable position. It severely damages the respect and reputation of the hard working hacker community. Most importantly, it promotes conflict that puts other well meaning hackers at risk.
Generally speaking, the majority of hackers on the platform are motivated by their own curiosity, altruism to better the internet, or to build recognition and community with other hackers. Because our platform involves all of these motivations, extortion tactics are disrespectful to others by seeking to extract profit at a cost to all of these things.
Furthermore, it is disrespectful to all hackers who operated before bug bounties existed, and before there was precedent to protect many forms of hacking. We have made incredible progress but this fragile peace could easily regress to the world of overreaching legal threats, criminal prosecution, and vindictive responses.
We do not tolerate any sort of automated delivery of reports from scanners, scripts, browser automation frameworks, etc. They are low signal and a waste of everyone’s time.
Developers look to hackers for their technical prowess. When they see automated, thoughtless reports for issues that do not exist: They lose respect for hackers. When hackers lose respect, we get into dangerous territory.
HackerOne designs itself to encourage a high signal from the community that uses it. This creates a very healthy place for hackers and developers to meet, but spamming damages the trust for both HackerOne and the community in general.
Harassment and #begbounty
We do not tolerate harassment of programs or hackers on our platform.
HackerOne is mutually beneficial for both parties to collaborate within the platform where features like public disclosure and mediation exist. In the event of a conflict or disagreement, we will not support either party that begins harassment as a means to their desired outcome.
Examples includes repeat, direct contact with participants of a disclosure program, (for example, complaining to personal accounts on Twitter, or repeatedly emailing executives), to complain or beg for a different result of a submission. This behavior discourages companies and developers from opening disclosure programs and damages research opportunities in the community.
Generally speaking, it’s important to understand that security teams operating disclosure programs are not representing a customer service function. Hackers are also not required to perform research for any program that they find themselves in disagreement with, or are not offering the incentives they would prefer.