As HackerOne is a place for collaboration and mutual respect between programs and hackers, there are behaviors that we don't tolerate. You can read the full Code of Conduct. The following are examples of intolerable behaviors that can result in full platform bans:
HackerOne doesn't tolerate any communication that manipulates a developer by withholding information about a vulnerability. This includes:
- Demanding a bounty or reward in exchange for vulnerability information
- Media threats to disclose an unresolved vulnerability if no bounty is offered
- Insinuating that you have other vulnerabilities waiting until a bounty is received
These sorts of tactics put a program member in an uncomfortable position. It also severely damages the respect and reputation of the hardworking hacker community and promotes conflict that puts other well-meaning hackers at risk.
Generally, the majority of hackers on the platform are motivated by their own curiosity, their own will to increase their hacking skills and their ranking on the platform, or are interested in building recognition and community with other hackers.
Because HackerOne involves all of these positive motivations, extortion tactics are disrespectful to other hackers who operated before bug bounties existed and before there was precedent to protect many forms of hacking. Engaging in extortion tactics could regress the industry to facing legal threats, criminal prosecution, and vindictive responses.
HackerOne also doesn't tolerate any sort of automated delivery of reports from scanners, scripts, browser automation frameworks, etc. They're low signal and a waste of everyone’s time.
Programs look to hackers for their technical prowess. When they see automated, thoughtless reports for issues that don't exist, they lose respect for hackers. When hackers lose respect, their findings are looked down upon and get overlooked.
HackerOne designs itself to encourage a high signal from the community that uses it. This creates a very healthy place for hackers and programs to meet, but spamming damages the trust for both HackerOne and the community in general.
HackerOne doesn't tolerate harassment of programs or hackers on the platform.
HackerOne is mutually beneficial for both parties to collaborate within the platform where features like public disclosure and mediation exist. In the event of a conflict or disagreement, HackerOne will not support either party that begins harassment as a means to their desired outcome.
Examples of harassment include repeated, direct contact with participants of a disclosure program (i.e. complaining to personal accounts on Twitter or repeatedly emailing executives) to complain or beg for a different result of a submission. This behavior discourages programs from opening disclosure programs and damages research opportunities in the community.
Generally, it’s important to understand that security teams operating disclosure programs aren't representing a customer service function. Hackers are also not required to perform research for any program that they find themselves in disagreement with or aren't offering the incentives they would prefer.