Platform interactions should be at all times respectful and communicated in a professional manner and tone with a view to being beneficial to the report validation process. Creating unnecessary noise, leaving rude comments, or spamming report comments for an update are some examples which can be considered unprofessional behavior. These actions decrease triage efficiency and are not beneficial to you as the Finder or the program.

Disclosure of any private program details including: program name, scope, vulnerability details, bounty structure, account information, or any other detail that could identify the details to anyone who is not a HackerOne employee or a member of that program may result in enforcement actions. When collaborating with other Finders on the same program, be sure to do so in a secure manner, in accordance with disclosure requirements listed in this CoC.

Only use approved communication channels. Unless the program has intentionally provided a contact method to the Finder, contacting security teams “out-of-band” is a violation of this CoC. Approved communication channels will be outlined within the program policy page or otherwise notified by the customer, should nothing be specifically mentioned, all Finders must assume that the HackerOne platform is the only approved channel.

Finders must not perform unsafe testing without prior authorization. This includes (but is not limited to): out-of-scoping testing, exploiting a vulnerability beyond what is necessary to show impact (i.e. accessing customer internal information, dumping a database, etc.), gaining access to and using accounts or production credentials not approved per the program's policy, altering production or database information or causing a Denial of Service, or otherwise impacting the stability of customer systems outside of posted testing policies.

HackerOne does not tolerate any discrimination based on age, ethnicity, level of experience, nationality, personal appearance, race, religion, sexual or gender identity and orientation, physical appearance, political beliefs, or other protected classes.

Hate speech, profanity, or any aggressive threats in report comments, support tickets, or other communication methods will not be tolerated in any form. Violating this guideline includes posts on social media and other platforms. If it is confirmed that a Finder account is tied to actions which amount to a breach(es) of our CoC, enforcement action may be taken.

Duplicate account abuse: Any case where multiple HackerOne user accounts are used to circumvent a sanction against a user account, or to create an unfair advantage on the platform.

Reputation farming: Any activity that creates an unfair gain in reputation. This includes sharing account access and submitting the work of other Hackers, and also encompasses cases where Finders may attempt to social engineer HackerOne staff into assisting with the launch of an illegitimate program.

Any unauthorized use of intellectual property (including but not limited to) the unauthorized use of other Finders work, will not be tolerated.

Disclosing report information without previous authorization is not permitted. This encompasses social media, blog posts and any other disclosure methods. This category also includes threats of disclosure. Enforcement actions will be escalated based on severity, means, and sensitivity of the disclosure.

Any attempt to obtain bounties, money or services by coercion is not permitted and may amount to a criminal offense.

Any unauthorized attempts to socially engineer another party through impersonation of a HackerOne employee, another Finder, a program member or a security team will not be tolerated.

Finders are solely responsible for the tools that they use. These tools must be lawful and legally acquired. H1 will not tolerate the use of illegal software, if such use is discovered, enforcement action may be taken.

“Confidential Information”: means any information made available through the HackerOne platform or programs, including but not limited to vulnerability information, confidential information and know-how (including but not limited to ideas, formulae, compositions, processes, procedures and techniques, research and development information, computer program code, performance specifications, support documentation, drawings, specifications, designs, business and marketing plans, and customer and supplier lists and related information.

“Finder” means an individual or entity using the HackerOne Platform to provide Finder Submissions.

“Finder Submission” means documents and related materials evidencing a Finder’s activities related to a program, including,but not limited to, vulnerability reports.

“The Mediation Team”: is a cross-functional group of stakeholders led by senior HackerOne Support staff.

“Personal Data”: is information that relates to an identified or identifiable individual. If it is possible to identify an individual directly from the information you are processing, then that information may be Personal Data.

Examples of Personal Data (not exhaustive)

• A person’s name;
• IP address;
• Cookie Identifier;
• Email addresses;
• Telephone numbers;
• Physical addresses;
• Date of birth;
• Health history;
• Ethnicity;
• Sexual Orientation; and/or
• Financial information: e.g. Banking information – credit card numbers, account numbers, sort codes