Hackers can request assistance from HackerOne in extreme cases when all normal discussions with the team have been attempted, and there has been no satisfactory resolution.
- A Security Team promises to reply within a certain time period on their Security Page, but fails to do so
- A Security Team claims a domain is in scope on their Security Page, then makes a last minute change to pull it out of scope based on your report
- A Security Team clearly outlines a vulnerability in a particular domain as being worth a minimum bounty, but then awards less than that amount or no bounty at all without providing an explanation
Please do not share any report details with HackerOne in the initial request without explicit mutual agreement from the team. If more information is required to address the problem, HackerOne will arrange it with the Security Team.
Requesting hacker mediation triggers the following activities:
1) An email is sent to the Security Team requesting that they make a best effort to resolve the issue with the hacker within 3 business days.
2) If the Security Team does not respond to the hacker, or if the situation is otherwise not resolved, HackerOne will evaluate all available information about the vulnerability report, the hacker who requested mediation, and the organization to determine the appropriate level of escalation.
3) If, in our judgment, the hacker's case warrants bringing to the company's attention out of band, our Customer Success team will do so.