inFrequently Asked Questions

Internet Bug Bounty

Q

Why run an Internet Bug Bounty program?

A Our collective safety is only possible when public security research is allowed to flourish. Some of the most critical vulnerabilities in the internet's history have been resolved thanks to efforts of researchers fueled entirely by curiosity and altruism. We owe these individuals an enormous debt and believe it is our duty to do everything in our power to cultivate a safe, rewarding environment for past, present, and future researchers.
Q

Who is running the Internet Bug Bounty program?

A The program is administered by an independent panel of security experts from the community. The Panel is responsible for defining the rules of the program, allocating bounties to where additional security research is needed most, and mediating any disagreements that might arise. The program is partially hosted by HackerOne.
Q

How is the program funded?

A The Internet Bug Bounty program is sponsored by individuals and organizations who genuinely care about our collective security. Their contributions directly fund the bounties paid to researchers with no portion going to The Panel or HackerOne: 100% goes to researchers. Sponsors do not have any special access or rights to bug data. If you'd like to sponsor security research, let us know!
Q

What types of bugs qualify for bounties?

A First, make certain you follow our general guidelines for vulnerability disclosure. Next, each Response Team has a unique set of criteria for what bugs are in scope along with any special rules they'd like you to adhere to. Be certain to carefully read each individual team page before beginning any research or testing on their products.
Q

Who decides how much each bounty is?

A The Panel may provide general guidance on bounties, but the appropriate Response Teams will assess each individual report to determine its bounty eligibility. The Panel is available to meditate any disagreements that may arise.
Q

I'm a contributor to an open source project. Am I eligible?

A Yes! However, we have two simple caveats: your involvement with the project is a labor of love as an unpaid volunteer, and you did not author or review the blamed commit.
Q

Is there an upper bound on the timeline for public disclosure?

A 180 days. Individual response teams are encouraged to set better (faster!) standards for themselves. We have an upper bound because one of our primary goals is to make software safer for everyone, and this only occurs if uncovered vulnerabilities actually get patched in a timely manner.
Q

What about software or services where the vendor already has a bounty program?

A Where the vendor already has a reasonable bounty program in place, we request that you contact the vendor directly.
Q

Can I report the bug to you via a third-party broker?

A No. It is unacceptable to share the vulnerability with anyone without the explicit consent of the Response Team.
Q

Can I report the bug directly to the Response Team?

A In most cases, yes. Please review the Response Team's profile for specifics on their accepted routes for submission.

Vulnerability Disclosure

Q

What are your policies regarding vulnerability disclosure?

A We're glad you asked! Please read our Disclosure Guidelines.
Q

TL;DR: What are your policies regarding vulnerability disclosure?

A The Bug Report will remain non-public to allow the Response Team sufficient time to publish a remediation. If either party requests public disclosure, the Bug Report will be made public within 30 days. But, please, read our full Disclosure Guidelines.
Q

Who has access to the disclosed bugs?

A The original bug submitter, the members of the product's Response Team, and anyone explicitly authorized by the Response Team. Bug data is treated as confidential. HackerOne will not share your bug data with any other parties of our own volition. We're also happy to accept submissions encrypted with the Response Team's PGP key. For further details, please view our Privacy Policy.
Q

When do the members of the Response Team receive details about disclosed bugs?

A Immediately and automatically.
Q

Do I have to keep details confidential once the bug is fixed?

A Absolutely not. We believe that open, collaborative sharing of information and research will drive our collective knowledge forward and help make us all safer. After a bug has been resolved, you can request public disclosure in the bug report itself. Public disclosure will then occur after 30 days, or immediately if both parties are in mutual agreement.
Q

Does the researcher have to prove the severity and exploitability of the vulnerability?

A Not necessarily. The Response Team will make an assessment if necessary. However, the likelihood and size of a bounty may be positively influenced by a high quality report that provides details on severity and exploitability.
Q

What are your opinions on disclosure via a private YouTube video?

A A bad techno track in the background is mandatory.

Bounties

Q

How do you set the criteria of what qualifies for a bounty?

A Each Response Team sets their own criteria for bounty qualification and payout range. The Panel is available to help provide guidance and adjustment feedback. Even though the scope is unique to each project, we believe that community will quickly arrive at general consensus regarding fairness and that this consensus will mature over time. Higher bounties attract more researchers and result in more quality submissions.
Q

What happens if two researchers report the same bug separately?

A In the event of a so-called "bug collision", our guidance is that only the first researcher be eligible for a bounty. However, individual Response Teams have the final say in the matter.
Q

Is anyone ineligible for the bounties?

A Unfortunately, we're unable to issue monetary payments to individuals on US embargo lists, or individuals in countries currently on US embargo lists.
Q

I'm 12 years old and what is this?

A We allow payments to any age. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are under 13 years of age.
Q

Can I remain anonymous?

A Vulnerability details will always be public, but Researchers may choose to remain anonymous through a pseudonym. We may need to know your identity in order to pay your bounty. If you prefer to remain anonymous even to HackerOne support staff, you can still choose to anonymously donate your bounty to charity.
Q

I can donate my bounty to a charity?

A Absolutely! Some Response Teams may even increase the donation value in the event you decide to donate.
Q

When do I get my bounty?

A We recommend that Response Teams reward bounties within 30 days of the resolution of a bug. Often, a full understanding of the vulnerability and its impact only becomes apparent after a fix has been developed.
Q

How do I get paid?

A Once you've received your first bounty, you'll receive instructions on completing the appropriate tax from. After the form is completed, your money will be deposited into your PayPal account, by default. Let us know if you're unable to use PayPal and we'll help you figure out an alternative. We plan to add additional payout methods in the near future.

Security

Q

Will you pay for security bugs in HackerOne itself?

Q

Do you store my password in an encrypted format?

A
bcrypt(10, salt, strcat(password, sha512(app-token, env-token)))
Q

Do you use military-grade encryption?

A Yes.

Miscellaneous

Q

I have a copyright complaint!

Q

You didn't answer my question.

A Oops. Got a question we missed? Ask away! support@hackerone.com