Understanding the HackerOne Code of Conduct

What is a Code of Conduct?

A Code of Conduct is a document that establishes expectations for behavior from members of a community. Adopting and enforcing a Code of Conduct creates a positive atmosphere for our community and their interaction with program team members and HackerOne staff. A Code of Conduct empowers us to facilitate healthy and constructive community behavior.

Why do we have a Code of Conduct?

By having a Code of Conduct, we are encouraging the behavior we want to see in the world. Concrete enforcement guidelines helps to ensure that any violation of the Code of Conduct is treated fairly and consistently across all members of our community. The goal of our Code of Conduct is to help protect you, our hackers in addition to all members of the HackerOne Community including our customers and HackerOne employees.

What is in our Code of Conduct?

In HackerOne, we consider the Code of Conduct to be a minimum standard of behaviour we want to see in our platform. It is very important for hackers to avoid breaking the Code.

Our current Code of Conduct covers the following:

  • Behave professionally
  • Under any circumstances, do not disclose private program details
  • Only contact security teams through approved and official channels
  • Unsafe testing / service degradation is not allowed
  • No abusive language is tolerated on the HackerOne platform
  • No duplicate account abuse or reputation farming
  • No misuse or theft of intellectual property
  • Do not disclose report information, confidential information or personal data without express written authorization
  • No extortion or blackmail
  • No unauthorized impersonation / social engineering
  • The use of illegal or counterfeit software is not allowed

We encourage you to read the full Code of Conduct and if you have more questions, please don’t hesitate to read the Frequently Asked Question section. We also recommend reading all Rules of Engagement published in our policies page.

How does this benefit hackers?

By setting up minimum standards of community behavior, we can help hackers avoid foreseeable mistakes and to work better with programs. Building a better relationship with programs can also help hackers with their professional careers. Reinforcing valuable soft skills improves communication and interactions with security teams, and it is beneficial for everyone. We are proud to say that hackers have been employed by companies who run programs on HackerOne. These hackers established professionalism and technical capability and are great examples of what’s possible.

By having a Code of Conduct, we aim to have all hackers and members of the community to be treated fairly and equally, while being held liable by the same standards.

How does this benefit customers?

Customers expect a professional and respectful interaction while working with hackers. The Code of Conduct provides specific guidelines to know what to expect and what is acceptable in terms of communication and engagement.

If an individual seems hostile or unwelcoming, even if it’s just one person whose behavior is being tolerated, it will impact a program’s perception of the larger hacker community. A minimum standard of behavior helps ensure that HackerOne can continue to connect world class hackers with world class programs.

It’s not always easy to adopt or enforce a Code of Conduct, but fostering a welcoming environment will help our community grow. Because of this, we have publicized an enforcement matrix which outlines the actions we’ll take against any violations to our Code of Conduct.

Why is it important to be in good standing with Code of Conduct?

Respecting the Code of Conduct will have direct impact on several different aspects of the HackerOne platform, including but not limited to program or challenge invitations, live hacking event participation, HackerOne Clear, and consideration for other engagements like HackerOne Pentest or Ambassador consideration. Any violation of the Code of Conduct will have direct consequences that will affect the above items.

When considering hackers for many initiatives that HackerOne runs or supports, we will look at the historic behavior and Code of Conduct violations that may have occurred in the past before inviting participants.

The Code of Conduct was created to protect you! The more professional you are in your interactions and reports, the more likely you will be to build a positive relationship with program teams and HackerOne staff. Becoming a valuable partner in the bug remediation process can have incredibly positive effects on your success in the community as well as your professional career.

What happens if a hacker breaks a part of CoC?

If a complaint is received from a program, team member, another hacker, or if HackerOne observes something that appears to violate the Code of Conduct and/or existent rules of engagement, HackerOne will in all cases:

  • Assume good intent: HackerOne trusts that Hackers will want to do the right thing. Investigate fully so HackerOne understands what did (and did not) happen. HackerOne will speak to all parties involved, where appropriate, and attempt to provide a neutral viewpoint.

  • Repercussions: If HackerOne determines the Hacker has violated the Code of Conduct and/or any Rules of Engagement, there will be disciplinary actions depending on the severity and HackerOne’s assessment of intent. Repercussions depend on the severity of the violation and can include temporary bans or permanent bans from HackerOne programs, HackerOne Clear and Clear programs, HackerOne Pentest and/or the platform.

  • Statutory timeline of warnings: When a warning is issued in accordance with the Code of Conduct, HackerOne considers that warning to be applicable for 12 months. Warnings which are over 12 months old expire and are not typically assessed when reviewing the severity of new enforcement actions.