Hacker Mediation

With hacker mediation, hackers can request assistance from HackerOne in extreme cases when all normal discussions with the program have been attempted and there has been no satisfactory resolution. Vice versa, programs can also request for mediation when there are issues with hackers.

Hacker mediation requests commonly occur when a program's behavior is clearly out of sync with what is outlined on their Security Page. Examples include:

  • A program promises to reply within a certain time period on their Security Page but fails to do so.
  • A program claims a domain is in scope on their Security Page, then makes a last minute change to pull it out of scope based on your report.
  • A program clearly outlines a vulnerability in a particular domain as being worth a minimum bounty, but then awards less than that amount or no bounty at all without providing an explanation.

Note: Please don't share any report details with HackerOne in the initial request without explicit mutual agreement from the program. If more information is required to address the problem, HackerOne will arrange it with the program's security team.

Requesting Hacker Mediation

In order to request mediation:

  1. Open the report you'd like to request HackerOne mediation support for.
  2. Scroll to the bottom of the report.
  3. Click Report Abuse.
  4. Select Request mediation.

This will trigger a workflow to reach out to both the program and the relevant hacker.


Hacker Mediation Triggers

Requesting hacker mediation triggers the following actions:

  1. An email is sent to the program's security team, requesting that they make their best effort to resolve the issue with the hacker within 3 business days.
  2. If the security team doesn't respond to the hacker or if the situation isn't resolved, HackerOne will evaluate all available information about the vulnerability report, the hacker who requested mediation, and the organization to determine the appropriate level of escalation.
  3. If, in HackerOne's judgment, the hacker's case warrants bringing to the company's attention out of band, HackerOne's Customer Success team will do so.

While HackerOne can't guarantee resolution or override a security team's assessment, hacker mediation has been used to successfully bring items to the security teams' attention, resulting in a more favorable outcome for everyone involved.

As a reminder, hacker mediation is a privilege that is reserved for hackers with signal ≥ 1. In most cases, HackerOne will not be able to mediate for reports that have been closed for over 3 months. Please respect the guidelines above and only request mediation if it's deemed absolutely necessary. Abuse of the hacker mediation process will result in this privilege being revoked from your account.