Publishing External Vulnerabilities
HackerOne provides the ability for hackers to publish their findings from external sources, not just HackerOne programs. As sharing knowledge is key toward advancing our collective ability to improve security, sharing what you’ve learned and discovered is one small way to give back to the community.
Requirements for Publishing an External Vulnerability
In order to publish a report, all these requirements must be met:
|The posting must describe a vulnerability.||A vulnerability is a weakness of software, hardware, or online service that can be exploited to cause harm.|
|You (the publisher) must be the finder of the vulnerability.||You can’t post other hackers’ findings under your own name - that’s their work!|
|The vulnerability must have already been responsibly disclosed to the security team of the associated organization.||You must have established communication with the security team responsible for the product or service, and received agreement from the security team that you may publish the vulnerability after resolution.|
|The vulnerability must be resolved.||The security team must have confirmed with you that they’ve resolved the vulnerability and provided updates and patches to their users (if applicable). We don’t support nor permit you to post about 0-days or exploits that may be used to harm others.|
|The associated organization has given you consent to publicly share the vulnerability.||Hacktivity is a channel for coordinated disclosures. Full disclosure has its time and place, and this isn’t the place for that.
The organization must consent to having their information for this particular vulnerability posted publicly.
|You adhere to our Code of Conduct and other HackerOne policies.||Find our hacker’s code of conduct at: https://www.hackerone.com/disclosure-guidelines
Find our Copyright and IP Policy at: https://www.hackerone.com/dmca
By publishing vulnerabilities to HackerOne, you acknowledge that you’ve met all of the above requirements.
Publishing a Vulnerability on HackerOne
Once you’ve met all of the requirements above, you’re ready to publish your vulnerability. To publish an external vulnerability on HackerOne:
- Go to Publish a Vulnerability.
- Enter the program you reported the vulnerability to and select it from the populated list. Note: This field searches all known disclosure programs from the Directory.
- If the program doesn't populate in the list, manually enter the entire program name.
- To publish without disclosing the organization, enter
redactto select the Redacted program.
- Fill out the rest of the Publish a Vulnerability report form.
- Click Publish Vulnerability.
- (Optional) Add a severity rating for the vulnerability.
The report will publish onto the New page of Hacktivity and have a Published icon on it to distinguish it from other reports. Users can upvote your report in Hacktivity, and the report will also display on your hacker profile.
Note: HackerOne reserves the right to remove any posted content if any party informs us that the content didn’t meet our requirements for publishing.
Publishing Without Disclosing the Organization
It may take some time for external organizations to get back to you about publishing the vulnerability you found, or they may not get back to you at all. In these cases, we enable you to publish your vulnerability to Hacktivity without naming the organization.
To publish without disclosing the organization, when selecting the program in step 3 of the section above, type
redact to select the Redacted program.
All mentions of the organization and assets will be redacted when it’s published onto the New page of Hacktivity.
Publishing currently doesn’t influence Reputation or your eligibility for any bounties.