A business account is a single HackerOne Community Member account used when security research happens as a company or legal entity. Informal groups of individuals working together via collaboration or individuals forming an entity only to receive your own rewards are not considered business accounts.
Key points
One account. One profile. One reputation. One leaderboard entry.
HackerOne applies account labels to distinguish business participation from individual participation.
The account owner who signs up for the business account remains responsible for all activity conducted through the account.
Why business accounts exist
Crowdsourced security has evolved beyond solo hackers. Leaderboards historically compared individuals directly against teams or organizations, which could create unfair or unclear comparisons.
Commercial participation brings different transparency and trust needs. The business account label helps, improving transparency and fairness by:
Helping customers and the community understand who is participating and operating the account (individual vs business)
Enabling apples-to-apples leaderboard comparison
Making AI-enabled or organization-backed participation more visible
How a business account works
Profiles
Business accounts display a profile label of Business to indicate commercial participation.
Leaderboards
On the HackerOne leaderboard, the Profile Type Filter allows users to switch between:
Individuals: shows solo researchers (default)
Businesses: shows profiles designated as a business
All: shows both
Reporting and collaboration
Because a business account is a single account:
Reports submitted by the account behave like reports from any other hacker account.
Collaboration can be indicated on reports (e.g., multiple contributors), just as with other accounts.
Do not add individual member accounts of individuals participating under the business account to reports as “collaborators” for that work.
Requirements you should expect
Self-identification and disclosure
Community Members must self-identify as a business account and provide the information HackerOne requests, including legal name and jurisdiction of formation.
Business account owner requirements and responsibilities
A business account must have at least one account owner, a legally authorized representative of the entity, at all times.
Account owners must complete HackerOne’s identity verification every 12 months.
HackerOne may also request attestations and other checks where needed, including legal name and jurisdiction of formation.
The account owner is responsible for all activity conducted through the business account, including activity by authorized users, and must maintain controls to manage access.
The account owner must also ensure each authorized user complies with eligibility, sanctions, export control, and other legal compliance requirements.
Authorized users must not submit duplicate reports to the same program through other accounts while participating through the business account.
Business accounts, their account owner, and authorized users will be subject to HackerOne’s Commercial Community Member Terms. (target effective date July 2026).
How to request a business account designation
Researchers cannot self-enroll as a business. Business status must be designated by HackerOne. If you believe an account should be designated as a business:
Contact HackerOne Support from the account in question.
Include:
Business name and short description
Legal entity name and registration details
Jurisdiction of formation
Account owner details (authorized representative)
Support will guide you through the required verification steps.
FAQ
Does a business account violate the Code of Conduct?
No. It is an account type supported by HackerOne. Code of Conduct enforcement applies to all activity, including activity by authorized users.
Can a business account submit vulnerabilities?
Yes. Business accounts submit reports through the same reporting process like any other researcher accounts.
Does a business account mean HackerOne endorses the business?
No. Business accounts must not imply endorsement, partnership, certification, or affiliation with HackerOne or a customer without written approval.
How does business reputation relate to individual reputation?
A business is a single account, so reputation is associated with that account. There is no reputation transfer to separate individual accounts.
Is there an “AI Agent” registration path?
There is no separate registration pathway. If a group operates under one shared identity and legal entity, it should be classified as a business account.