What is Mediation?
Mediation is a support service for both hackers and customers in extreme communication cases. All members of the H1 Mediation Team are technical (security analyst backgrounds) and have deep experience in customer support.
Hackers can request mediation when a dispute about a report outcome arises, if their signal is >0.
Customers can also request mediation when facing challenges with hackers or where a Code of Conduct violation has been identified. More info on this here
The Mediation team identifies points of disagreement and facilitates resolution through organized, efficient, collaborative, and transparent communication with either party.
How is Hacker Mediation requested?
Hackers eligible for Hacker Mediation may request mediation directly from their report by clicking on Request Mediation at the bottom of the report. The hacker will be prompted to provide details in their request to ensure reasoning is provided for raising the dispute.
A hacker has requested mediation on a report submitted to my program…now what?
When a hacker requests mediation, the request will be sent into a queue for the Mediation Team to review.
The Mediation Team will review the report, as well as the hacker’s concern to ensure full understanding of the misunderstanding.
If the Mediation Team determines that the hacker’s perspective is valid and the report could have been handled differently, they may loop in a member of HackerOne Triage for additional context (if you are opted into HackerOne Triage services) or to make the appropriate changes to the report.
The Mediation Team may reach out directly to a customer to get context of the handling of a report, guidelines, to share information, or provide recommendations for report consideration if deemed appropriate by the team. Efficient communication with customers helps to ensure that our Mediation Team is able to effectively support in resolving report disputes quickly. If a hacker has requested mediation for a concern the customer feels they can support with, such as providing an update on the remediation timeline, awarding a bounty, or clarifying decisions, the customer should feel free to respond to the hacker on the report.
The Mediation team handles communications with the hacker to provide closure on a dispute, regardless of the outcome of the mediation.
How do customers benefit from HackerOne Mediation?
Faster conflict resolution when direct communication stalls
Neutral, expert facilitation to keep discussions constructive
Clear, organized communication reduces misunderstandings
Improved trust and collaboration with hackers: High-quality hackers often choose programs based on reputation. Programs known for fair treatment and low mediation rates typically attract better talent, improving your security posture. Hackers who feel fairly treated are more likely to continue testing your assets and providing value to your program.
Minimized risk of escalation or prolonged disputes
Better outcomes that protect program reputation and safety
Trend Awareness & Guidelines Refinement Opportunities: Mediations often highlight areas where your program may need improvement. If you see patterns in mediation requests, you can proactively address these issues to drive prevention of similar cases in the future. Recurring mediation themes may indicate unclear program guidelines that need clarification. For example, if hackers frequently request mediation over scope interpretations, your scope definition likely needs refinement. You have access to the Mediation Analytics Dashboard, so you can stay tuned in to any trends related to Hacker Mediations received by your program.
Enables review and correction of potential report issues if missed during Triage → increased opportunities for risk reduction & improved security posture
Reinforces a positive, secure vulnerability disclosure environment for your program
What are some things a customer can do to combat mediations from occurring in the first place?
Adhere to response SLAs: Follow your published response timeframes as closely as possible. Most mediations occur when hackers don't receive responses within the stated SLA periods and become impatient.
Communicate proactively & transparently: Even if you're still investigating, provide regular status updates to hackers so they know their reports aren't forgotten. You can also use the Message Hackers feature (your CSM can help with this) to set expectations with all hackers of an expected delay. Keep hackers in the loop.
Ensure scope is up to date: To prevent disputes, ensure your program guidelines clearly define what is in and out of scope. Proactive transparency around what will and will not be accepted is key to preventing mediations.
Maintain consistency: Ensure you are awarding in line with your bounty table consistently across similar reports to avoid perceived unfairness.
At point of report closure: Try to provide specific technical reasoning wherever possible. Hackers appreciate detail and clarity of report decisions.
Commit to following the Detailed Platform Standards: These serve as direction for customers to help provide consistency and fairness in report validation.
Commit to adhering to Industry Best Practices: Recommendations for how you can run an excellent security program with the goal of increasing positive outcomes that benefit both you and hackers.