HackerOne is empowering the world to build a safer Internet. We provide a powerful and intuitive platform that enables security response teams to build effective vulnerability coordination programs.
What is a vulnerability coordination program?
Also sometimes referred to as a "responsible disclosure" or "coordinated disclosure" program, it is the ability to receive vulnerability reports from people outside your organization and investigate and resolve the issue. Every organization should have an easy, confidential way to receive these reports, and a clear set of processes for communicating with the person reporting them. For more information, see
HackerOne was created by people who want to make the Internet safer for everyone, including the people who built Facebook's, Google's, and Microsoft's bug bounty programs.
Why is vulnerability coordination and strong relationships between organizations and researchers important?
All technology contains bugs. Security bugs may be discovered by a member of the public in any given software, and how an organization responds to a vulnerability report from a security researcher reflects the maturity of the organization's security program. Maintaining positive relationships with security researchers is one of the most effective means of providing a safe and secure product by welcoming vulnerability reports. Our vulnerability coordination guidelines remove ambiguity from the reporting process to ensure that security bugs are addressed safely. Clearly defining permitted behavior through a guided process builds trust and prevents misunderstanding.
A bug bounty is a cash reward that a grateful organization pays a hacker for reporting a vulnerability in the organization's product or online service. Companies successfully use bug bounties as a highly cost-effective way of discovering unknown vulnerabilities in publicly available products.
For Response Teams
How do I start a vulnerability coordination or bug bounty program?
HackerOne makes getting started easy, a live demo only takes a few minutes.
How do I make running a program more easily manageable?
HackerOne provides the tools and automation to streamline the process of vulnerability coordination. Starting with a "soft launch", the platform guides you through the process in a controlled manner.
A soft launch is an invitation-only vulnerability response program hosted on HackerOne. It is a great way to get started without a formal public commitment. During the soft launch, you will be able to start with a small number of chosen, reputable researchers and progress at your own pace.
Do you offer a managed bug bounty program?
Yes, through our network of expert partners, or any partner of your choosing! HackerOne partners with a number of expert security consultant organizations that can help you with temporary or permanent staff augmentation for your vulnerability response team. If you would like to bring in your own consulting partners, HackerOne will train them on how to use the platform most effectively.
How much should I pay for bounties?
That all depends on you. The bounties already paid by programs on the HackerOne platform range from $100 - $20,000. Take a look at some of the other
How much does it cost to use your services?
The HackerOne vulnerability coordination platform is free to use. If you choose to offer a bug bounty, we charge a 20% commission. As part of our bounty payment service, we take care of getting the hackers paid, including getting them the right tax forms and removing that operational headache for you, so you can focus on getting your vulnerabilities fixed.
Are my vulnerabilities safe going through the HackerOne platform?
All traffic to and from the HackerOne servers is encrypted. Your Response Team can use our IP whitelisting policy so your data can only be accessed from locations you control. Learn more about HackerOne security
Do the HackerOne personnel get to see my vulnerabilities?
No. HackerOne works to provide organizations with the tools they need to successfully run their own vulnerability coordination program. As such, HackerOne personnel do not have access to your confidential vulnerability reports. HackerOne will never share your confidential data with any other parties of our own volition. We're also happy to accept submissions encrypted with the Response Team's PGP key. For further details, please view our
Isn't there an ISO standard for Vulnerability Disclosure? Does HackerOne comply with this standard?
ISO 29147 Vulnerability disclosure
to help guide organizations on how to receive vulnerability reports from parties outside your organization, and how to disseminate vulnerability advisories. HackerOne can help your organization easily manage the vulnerability disclosure and coordination process via our automated platform.
Yes, the International Standards Organization created
How can I find out more about the ISO standard on Vulnerability Disclosure?
HackerOne's Chief Policy Officer recorded a 20-minute video overview of the Vulnerability disclosure standard (29147) and a related ISO standard on vulnerability handling (30111) to help organizations understand what is included and how the standards are related. Watch it
What are your policies regarding vulnerability disclosure?
The Bug Report will remain non-public to allow the Response Team sufficient time to publish a remediation. After the Response Team marks the vulnerability as "Resolved," either party can request public disclosure. If no action is taken, the Bug Report will be made public within 30 days. For more information, read our complete
What other incentives besides a cash reward could my organization offer?
The platform offers a built-in "Thanks" page to publicly recognize researchers who have helped you and your users with a security issue. Limited edition swag is often well-received, as are free coupons or vouchers for whatever services/products you offer. For researchers with the best contributions, considering offering to host them near your office for a lunch/drinks or cover their admission to conferences your team may be attending.
We built Hackbot to empower security teams to make the right decision, faster. While using HackerOne you'll frequently encounter Hackbot as he provides helpful tips and suggestions.
For example, Hackbot keeps track of the reports you receive and identifies potential duplicates and related reports to help you associate and close reports more quickly. He uses a sophisticated algorithm to draw from the report content, as well as a number of supplementary sources, to find the reports most likely to be duplicates or that will provide helpful context.
We're constantly adding new functionality to Hackbot, so let us know if you have any suggestions on how he could be more useful to you.
Do you use military-grade encryption?
How do I start hacking for bounties?
How is reputation calculated? How does it affect me?
As a researcher submitting vulnerabilities through the HackerOne platform, your reputation measures how likely your finding is to be immediately relevant and actionable. Reputation is based exclusively on your track record as a researcher. There are a number of privileges that are gained by maintaining a high reputation, such as becoming eligible to receive invitations to early previews of upcoming bounty programs. On the flip side, should your reputation decrease, the system will gradually reduce the number of submissions allowed in a given time period. We believe it is critical to this community that response teams be afforded a high-signal environment so that they can focus on providing a quality response to researchers who turn in the best vulnerabilities. For more details, please
How do I get invited to invitation-only soft launches?
not talk about invitation-only soft launches.
You can increase your chance of being invited by being awesome and having a high reputation on the HackerOne platform. When you are invited, the one universal rule is to
I found a vulnerability in an organization that is not listed on your site. What should I do?
If you are unable to find a published vulnerabiliy disclosure program for the organization, you can
What types of bugs qualify for bounties?
general guidelines for vulnerability coordination
and disclosure. Next, each Response Team has a unique set of criteria for what bugs are in scope, along with any special rules they'd like you to follow. Be certain to carefully read each individual team page before beginning any research or testing on their products.
First, make certain you follow our
Who decides how much each bounty is?
The Response Team for the product or service you are testing will assess each individual report to determine its bounty eligibility. HackerOne does not have access to vulnerability reports and cannot decide bounty eligibility or bounty amounts.
Can I report the bug via a third-party broker?
No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the Response Team.
Do I have to prove the severity and exploitability of the vulnerability?
Not necessarily. The Response Team will make an assessment if necessary. However, the likelihood and size of a bounty may be positively influenced by a high quality report that provides details on severity and exploitability.
We recommend that Response Teams reward bounties within 30 days of the resolution of a bug. Often, a full understanding of the vulnerability and its impact only becomes apparent after a fix has been developed.
Once you've been notified of your first bounty award, you'll receive instructions on completing the appropriate tax form and setting your payout preferences.
Researchers may choose to remain anonymous through a pseudonym on the HackerOne platform. We will need to know your identity in order to pay your bounty to you. If you prefer to remain anonymous even to HackerOne support staff, you can still choose to anonymously donate your bounty to charity.
Do I have to keep details confidential once the bug is fixed?
Absolutely not. We believe that open, collaborative sharing of information and research will drive our collective knowledge forward and help make us all safer. It's a great idea to coordinate the public disclosure of vulnerability details with the Response Team. After a bug has been resolved, you can request public disclosure in the bug report itself through the HackerOne platform.
Is anyone ineligible for the bounties?
Unfortunately, we're unable to issue monetary payments to individuals on US embargo lists, or individuals in countries currently on US embargo lists. HackerOne complies with all AML rules, regulation, and compliance (including OFAC sanctions).
I'm 12 years old and found a bug - can I get paid a bounty?
We allow payments to hackers of any age. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are under 13 years of age.
Can I donate my bounty to a charity?
Absolutely! Some Response Teams may even increase the donation value in the event you decide to donate your bounty.
What are your opinions on disclosure via a private YouTube video?
A bad techno track in the background is mandatory.
What is the HackerOne Directory?
The Directory is a community-curated resource for identifying the best way to contact an organization's security team. It documents the existence of an organization's vulnerability disclosure policy and any associated bug bounty programs. You can learn more about how this works in
What happens when I claim my profile?
An organization can claim their profile in order to take editorial control of their disclosure policy, self update their information and own their policy messaging.
Can someone else claim my profile?
HackerOne reviews each claim submission for validity before granting the claim. A profile can only be claimed once. Once you claim your profile, the community can no longer edit it.
Do I have to be a HackerOne customer to claim my profile?
No, you do not have to be a customer in order to claim a profile, though signing up for a free HackerOne account is necessary.
If I claim a profile, does that automatically sign me up for HackerOne?
Before you can claim a profile, you need to sign up for a HackerOne account only. Accepting bug reports on the HackerOne platform is optional.
Why is HackerOne organizing and hosting this Directory?
We believe that all organizations who build technology should provide a safe process for vulnerability disclosure, and that these disclosures should be easy to find at a single searchable source.
Will you charge me for use of this directory?
No, the directory is free to use as well as claim your profile.
How do I correct missing or inaccurate information?
Security researchers who maintain sufficient reputation can update information, or you can reach a moderator at
Why offer Disclosure Assistance?
Organizations typically publish a vulnerability disclosure policy with guidance on how they want to receive information related to potential vulnerabilities in their products or online services (see ISO 29147). In the absence of a vulnerability disclosure policy, attempts to report security vulnerabilities often carry considerable legal risk for the security researcher, causing many to simply withhold vulnerability information or publish anonymously. In these cases, it is impossible to achieve an optimal outcome that ensures security vulnerabilities are safely resolved.
It is in our collective best interests that this scenario be avoided. If you have been unsuccessful in contacting an organization regarding the responsible disclosure of a potential security vulnerability, HackerOne can offer assistance. We will take steps to identify the organization's official vulnerability disclosure policy.
How does Disclosure Assistance work?
Search for the organization you are attempting to contact in the Directory. If a security contact method has not been published there, select "Disclosure Assistance" and HackerOne will take steps to identify an official process. If we are successful, you will be notified of the process and may submit the vulnerability report to the organization directly. HackerOne does not receive or submit vulnerability information on your behalf.
Please be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ and encourage you to perform other contact attempts in parallel to our effort.
Are there any risks with Disclosure Assistance?
It is impossible to completely eliminate the inherent risks associated with vulnerability disclosure and we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ. However, HackerOne Disclosure Assistance may reduce your individual risk in several areas:
- HackerOne will not accept any vulnerability information during the process,
so no additional parties become privy to the disclosure details.
- HackerOne does not require your identity to complete the process, so you may
utilize a pseudonym to remain anonymous.
- Once the organization's vulnerability disclosure policy is published, you
have an opportunity to review it before choosing to make contact.
How do I get in touch with HackerOne?
Does HackerOne sponsor conferences?
Not for the foreseeable future. We have other priorities, like creating the best vulnerability disclosure platform - and offering it for free!
How do I report a vulnerability in HackerOne?
Please submit your report
How do I give feedback to HackerOne?
Let us know what you think at
I have a copyright complaint!
Can I find a list of all users and profiles somewhere?
Yes, on the
You didn't answer my question.
Got a question we missed? Ask away!