The Directory is a community-curated resource that helps hackers identify the best way to contact an organization's security team. This guides hackers in reporting potential vulnerabilities directly to the organizations that can resolve them. The Directory is comprised of a list of various organizations that both use and don't use HackerOne. It documents the existence of an organization's vulnerability disclosure policy and any associated bug bounty programs.
Directory Services
The Directory provides relevant information for both hackers and programs.
The Directory enables Hackers to:
Search for an organization to get the contact information of a security team.
Add security team contact information for an organization so that other hackers know where to submit vulnerabilities (See Create a Directory Page)
As the directory is community-curated, hackers who maintain a sufficient reputation have edit rights and can update information about an organization. If you don’t have edit rights, you can reach a moderator at directory@hackerone.com with any changes.
Find programs they're interested in hacking on
Bookmark their favorite programs
View and compare statistics of various programs
Note: If an organization hasn't published security contact information anywhere, HackerOne recommends considering assistance from the local CERT.
The Directory enables programs to:
Publish contact information for receiving information about potential vulnerabilities in their products or online services, such as a security@ email address or a HackerOne program (See ISO 29147 for additional guidance or contact HackerOne)
Search for their organization to ensure that their security team's contact information and disclosure policy are accurate (See Claiming the Security Page if the program page hasn’t been claimed for editing)
What's On the Directory
You can find this information associated with an organization in the directory:
Information | Details |
Launch date | The date the program started to accept vulnerabilities. |
Reports resolved | The total number of vulnerabilities the organization has resolved. If the field is marked with a |
Bounties minimum | The minimum bounty that will be given for a valid vulnerability. If the field is marked with a |
Bounties average | The average bounty that is given for a valid vulnerability in a program. If the field is marked with a |
Star Icon | Bookmark your favorite programs by clicking on the icon. A list of your bookmarked programs will show on your Hacker Dashboard under the Bookmarked Programs tab. |
Managed label | Managed by HackerOne: Faster response and greater success potential due to HackerOne's triage team. |
Not Accepting Submissions label | The program isn’t currently accepting any report submissions on HackerOne. |
Collaboration label | The program enables hackers to collaborate with others and split their bounty in finding and submitting a vulnerability. |
Retesting label | The program participates in retesting. |
Directory Filters
You can filter your list of programs by both program features and asset type.
The program features you can filter include:
Filter | Details |
IBB | Indicates Internet Bug Bounty - a bug bounty program for core internet infrastructure and free open-source software. These programs are managed by a panel of volunteers selected from the security community. Learn more here. |
Offers bounties | Programs that offer bounties as rewards for finding vulnerabilities. |
High response efficiency | Programs that meet their response target metrics at least 80% of the time. |
Managed by HackerOne | Managed by HackerOne: Faster response and greater success potential due to HackerOne's triage team. |
Offers retesting | Programs that can request hackers to retest vulnerabilities. |
Active Program | Programs that are currently accepting report submissions. |
Bounty spitting | Programs that enable hackers to collaborate with others in submitting a vulnerability. |