Hackers can request assistance from HackerOne in cases when discussions with the program have been attempted and there has been no satisfactory resolution. Vice versa, programs can also request mediation when the Code of Conduct has been violated.
Hacker Mediation can be requested for the following reasons:
A program's decision is inconsistent with broad industry standards.
A program does not honor a commitment made on their Security Page.
A program promises to reply within a certain time period on their Security Page but fails to do so.
A program claims a domain is in scope on their Security Page, then makes a last-minute change to remove it from scope based on your report.
A program clearly outlines a vulnerability in a particular domain as being worth a minimum bounty, but then awards less than that amount or no bounty at all without explanation.
Etc.
Hacker mediation is used to raise concerns about reports to security teams and facilitate discussions between hackers and customers to work towards a more favorable outcome for everyone involved.
If a program is not managed (does not have HackerOne Triage Services), our ability to support mediation review and resolution is limited, and may take longer to resolve.
Note: HackerOne does not accept Mediation requests for Disclosure Assistance reports or Basic Programs that are not managed by HackerOne.
Right now, Hacker Mediation is only eligible for hackers with >0 signal. Please do not contact Support for assistance with reports if you are under this threshold. Thank you for your understanding!
Requesting Hacker Mediation
To request mediation:
Open the report you'd like to request HackerOne mediation support for.
Scroll to the bottom of the report.
Click Request Mediation.
Select the Nature of the dispute in the Request Mediation form.
Click Confirm. This will trigger a workflow to reach out to both the program and the relevant hacker.
Please do not request mediation for the following reasons (these requests will be closed):
If the report has been closed for 3+ months. HackerOne will not be able to mediate for reports that have been closed for over 3 months.
If you are looking for an update on a report that has seen an update from the H1 Triage team or program team less than 7 days ago
If your reason for the request does not contain enough information about how we can assist or why you disagree with the handling of a report. Provide substantial context in your request
Please respect the guidelines above and only request mediation if it's deemed absolutely necessary. Abuse of the hacker mediation process will result in this privilege being revoked from your account.
Finally, keep in mind that HackerOne is no longer able to add external researchers to original report submissions due to security and privacy concerns related to doing so.
Submitting a Strong Mediation Request
A good HackerOne mediation request should be clear, objective, well-documented, and constructive.
One Mediation Request per Report
Submit a separate mediation request for each report you need help with. Only request mediation for reports where you genuinely need support. This helps maintain clarity, ensures better tracking, and reduces the risk of your concerns being overlooked.
Clear Description of the Dispute
State exactly what the disagreement is about (ie: severity rating, bounty amount, duplicate resolution, out-of-scope classification).
Avoid Overlong AI-Generated Impact Descriptions. Please refrain from copying and pasting lengthy "possible impact" texts from ChatGPT or similar platforms when submitting a mediation request. Keep your description clear, concise, and specific to your situation.
Objective Evidence & Detail
Include information about:
Report details relevant to review of the dispute
Provide detail. The more information provided at the point of request, the more efficiently we will be able to resolve your concern without going back and forth.
References to program scope or vulnerability taxonomy (ie: CVSS or HackerOne Severity Guidelines)
Provide full evidence for Bypass Reports. When reporting a bypass, include all available evidence to clearly demonstrate that a bypass has occurred.
Reference to Guidelines or Precedent
Point to the program’s scope, bounty table, or HackerOne’s own guidelines.
If possible, mention similar reports with different outcomes.
Clarity on Desired Outcome
Say what resolution you're hoping for:
A bounty
A different severity rating
Clarification from HackerOne about the report outcome
Updates from the H1 Triage team
Update from the program team
This helps the mediator know what you're asking for specifically and gives the team context on what the ideal outcome is for you.
Professional and Respectful Tone
Maintain a respectful, objective, and professional tone—even if you're feeling frustrated. Remember, mediation exists to support fair resolution.
Issue Resolved? Close it out!
If your issue is resolved before the team addresses your request, please close the mediation request yourself in your Support Portal account, especially if you've already received a response from the program or triage team. This frees up the Mediation Team to work on mediations still requiring action, ultimately leading to fewer delays on the mediations that matter.
❌ Avoid:
Personal attacks or venting
Submitting without reviewing the scope or guidelines
Being vague or making unsupported claims
Saying “this is unfair” without explaining why
Example of a Strong Mediation Request:
“I’m requesting mediation because the program marked my report #123456 as a duplicate of #123450, but the context and attack vectors are different. My report targets a different endpoint and has a broader impact. The relevant part of the scope mentions X. I’m seeking another review of my report as I believe this report should not be marked as duplicate.”
Hacker Mediation Triggers
Requesting hacker mediation triggers the following actions:
An email is sent to the program's security team, requesting that they make their best effort to resolve the issue with the hacker within 3 business days.
If the security team doesn't respond to the hacker or if the situation isn't resolved, HackerOne will evaluate all available information about the vulnerability report, the hacker who requested mediation, and the organization to determine the appropriate level of escalation.
HackerOne’s Customer Success team will escalate certain concerns to program teams and engage closely to encourage a favorable outcome if, in HackerOne's judgment, the hacker's case warrants it.
If the security team is unable to respond to the hacker or if the situation is not promptly resolved, the Mediation Team will contact all involved parties and work together with the hacker and program teams to gain an appropriate and timely outcome.
Mediation Requests vs Support Requests
Mediation requests are different from Support requests. When requesting mediation, it’s important that you request it for the right reasons, as some issues are best taken to HackerOne Support instead. Here’s a table to help you see the difference between the types of requests:
Support Request | Mediation Request |
Request help with a payment that didn’t go through | Bounty disagreement (e.g.: The bounty table specifies a different amount than the one awarded for this criticality) |
Request credentials for a program | Resolution disagreement (e.g.: The bug was marked as duplicate and the “original” report has an older report number) |
Two-factor authentication resets | Unresponsiveness (e.g.: The triage team or the program provided no updates for a week) |
Account deletion |
|
General questions |
|
Note: Please do not perform testing on the Request Mediation feature on reports. Doing so will result in an outreach from the Mediation team to cease testing.
The Make It Right Fund
There may be cases where HackerOne believes a hacker’s submission has been handled incorrectly. We want to make sure hackers are awarded for their efforts in such cases. After extensive backend reviews of the specific report are completed, the hacker may be considered for a discretionary correction from the HackerOne Make It Right Fund. Please keep in mind that not every report is eligible for Make It Right, and the decision to recommend or consider a Make It Right award belongs to HackerOne. Usage of Make It Right may be noted in the report’s record for transparency.