The Directory is a community-curated resource that helps hackers identify the best way to contact an organization's security team. This guides hackers with reporting potential vulnerabilities directly to the organizations that can resolve them. The Directory is comprised of a list of various organizations that both use and don't use HackerOne. It documents the existence of an organization's vulnerability disclosure policy and any associated bug bounty programs.
The Directory provides relevant information for both hackers and programs.
The Directory enables Hackers to:
- Search for an organization to get the contact information of a security team.
Add security team contact information for an organization so that other hackers know where to submit vulnerabilities (See Create a Directory Page)
- As the directory is community-curated, hackers who maintain sufficient reputation have edit rights and can update information about an organization. If you don’t have edit rights, you can reach a moderator at email@example.com with any changes.
- Find programs they're interested to hack on
- Bookmark your favorite programs
- View and compare statistics of various programs
Note: If an organization hasn't published security contact information anywhere, HackerOne recommends considering assistance from the local CERT.
The Directory enables programs to:
- Publish contact information for receiving information about potential vulnerabilities in their products or online services, such as a security@ email address or a HackerOne program (See ISO 29147 for additional guidance or contact HackerOne)
- Search for their organization to ensure that their security team's contact information and disclosure policy is accurate (See Claiming the Security Page if the program page hasn’t been claimed for editing)
You can find this information associated with an organization on the directory:
|Launch Date||The date the program started to accept vulnerabilities.|
|Bugs Resolved||The total number of vulnerabilities the organization has resolved. If the field is marked with a
|Response Efficiency||The percentage of reports that are responded to on time within the last 90 days.|
|Bounties Minimum||The minimum bounty that will be given for a valid vulnerability. If the field is marked with a
|Bounties Average||The average bounty that is given for a valid vulnerability in a program. If the field is marked with a
||Bookmark your favorite programs by clicking on the icon. A list of your bookmarked programs will show on your Hacker Dashboard under the Bookmarked Programs tab.|
||Programs managed by HackerOne. These programs are more likely to respond quickly to your report and there's a higher likelihood of being successful on these programs because it's managed by the HackerOne triage team.|
|Not Accepting Submissions Icon
||A program that isn’t accepting any report submissions on HackerOne.|
You can filter your list of programs by both program features and by asset type.
The program features you can filter include:
|IBB||Indicates Internet Bug Bounty - a bug bounty program for core internet infrastructure and free open source software. These programs are managed by a panel of volunteers selected from the security community. Learn more here.|
|Offers bounties||Programs that offer bounties as rewards for finding vulnerabilities.|
|Invite-only||Programs that only allow you to submit vulnerabilities through an invitation.|
|High response efficiency||Programs that have a response efficiency of at least 80%.|
|Managed||Programs managed by HackerOne. These programs are more likely to respond quickly to your report and there's a higher likelihood of being successful on these programs because it's managed by the HackerOne triage team.|