Disclosure is good.
All technology contains bugs. It is inevitable that a member of the public will discover a security bug in your software, and how you respond reflects the maturity of your security program. Maintaining positive relationships with security researchers is one of the most effective means of providing a safe and secure product.
Disclosure shouldn’t suck.
Our disclosure guidelines remove ambiguity from the disclosure process to ensure that bugs are eliminated safely. Clearly defining permitted behavior through a guided process builds trust and prevents misunderstanding.
Showing gratitude to those who help keep your users secure is not only the right thing to do, it’s essential to building a more secure product. This gratitude could take many forms: a classic "Thanks", some company schwag, or a bug bounty program.
Why run a disclosure program?
Linus' Law: Given enough eyeballs, all bugs are shallow.
You decide which issues are important, and which ones aren't.
Our experts are here to support your team at every turn.
Want more bugs? Consider showing a little extra appreciation.
Forget about tax forms and wire transfers. We take care of everything.
HackerOne is free. If you choose to award bounties, we charge a service fee.
- hacker /ha–kər/
- One who enjoys the intellectual challenge of creatively overcoming limitations.
We are excited to foster a community of hackers who are incentivized to improve the state of internet security for the world. This group includes security researchers, software engineers, system administrators, and even casual technologists who come across technology in need of improvement.
We hope through this effort, we can remove negative stigma from the ‘hacker’ label and have positive impact for internet citizens worldwide.
Internet Bug Bounty
We are humble hosts of the Internet Bug Bounty, which rewards friendly hackers who contribute to a more secure internet. The program is made possible by the generosity of several sponsors whose entire contributions directly fund the bounties paid to researchers.Learn more
We’re a group of hackers and researchers who have been frustrated by the failings of vulnerability disclosure status quo. Members of our team have managed disclosure programs at Facebook, Google and Microsoft, participated in bug bounty programs, and disclosed vulnerabilities under dubious conditions. Our experiences have left us with a calling to improve vulnerability disclosure for everyone to make the internet more secure.
We believe that all technology contains vulnerabilities, that the public plays a crucial role in identifying these vulnerabilities, and that the subsequent disclosure should be safe, transparent, and rewarding for all involved.