Best Practices for Vulnerability Disclosure

Vulnerability Disclosure Guidelines

All technology contains bugs. If you've found a security vulnerability, we'd like to help out. By submitting a vulnerability to a program on HackerOne, or signing up as a Security Team, you acknowledge that you have read and agreed to these guidelines.

Vulnerability Disclosure Philosophy

Finders should...

  • Respect the rules. Operate within the rules set forth by the Security Team, or speak up if in strong disagreement with the rules.
  • Respect privacy. Make a good faith effort not to access or destroy another user's data.
  • Be patient. Make a good faith effort to clarify and support their reports upon request.
  • Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

Security Teams should...

  • Prioritize security. Make a good faith effort to resolve reported security issues in a prompt and transparent manner.
  • Respect Finders. Give finders public recognition for their contributions.
  • Reward research. Financially incentivize security research when appropriate.
  • Do no harm. Not take unreasonable punitive actions against finders, like making legal threats or referring matters to law enforcement.
Safe Harbor

We are committed to protecting the interests of Finders. However, vulnerability disclosure is an inherently murky process. The more closely a Finder's behavior matches these guidelines, the more we'll be able to protect you if a difficult disclosure situation escalates.

Submission Process

Security Teams will publish a program policy designed to guide security research into a particular service or product. You should always carefully review this program policy prior to submission as they will supersede these guidelines in the event of a conflict.

If you believe you have found a vulnerability, please submit a Report to the appropriate program on the HackerOne platform. The Report should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. If you don't explain the vulnerability in detail, there may be significant delays in the disclosure process, which is undesirable for everyone.

The Report will be updated with significant events, including when the vulnerability has been validated, when more information is needed from you, or when you have qualified for a bounty.

Vulnerability Disclosure Process

The contents of the Report will be made available to the Security Team immediately, and will initially remain non-public to allow the Security Team sufficient time to publish a remediation. After the Report has been closed, Public disclosure may be requested by either the Finder or the Security Team.

  • Default: If neither party raises an objection, the contents of the Report will be made public within 30 days.
  • Mutual agreement: We encourage the Finder and Security Team members to remain in open communication regarding disclosure timelines. If both parties are in agreement, the contents of the Report can be made public on a mutually agreed timeline.
  • Protective disclosure: If the Security Team has evidence of active exploitation or imminent public harm, they may immediately provide remediation details to the public so that users can take protective action.
  • Extension: Due to complexity and other factors, some vulnerabilities will require longer than the default 30 days to remediate. In these cases, the Report may remain non-public to ensure the Security Team has an adequate amount of time to address a security issue. We encourage Security Teams to remain in open communication with the Finder when these cases occur.
  • Last resort: If 180 days have elapsed with the Security Team being unable or unwilling to provide a vulnerability disclosure timeline, the contents of the Report may be publicly disclosed by the Finder. We believe transparency is in the public's best interest in these extreme cases.

Private Program

Some Finders may receive invitations to private Programs. Your participation in a private Program is entirely optional and subject to strict non-disclosure by default. Prior to accepting an invitation to a private Program, Finders should carefully review any program policies and non-disclosure agreements required for participation. Finders that intend any form of public disclosure should not participate in private Programs.

HackerOne recommends two alternatives:

(a) Submit directly to the Security Team outside of the Program. In this situation, Finders are advised to exercise good judgement as any safe harbor afforded by the Program Policy may not be available.

(b) Utilize our disclosure assistance process.

Public Recognition

You may receive public recognition for your find if 1) you are the first person to file a Report for a particular vulnerability, 2) the vulnerability is confirmed to be a valid security issue, and 3) you have complied with these guidelines. If a Finder prefers to remain anonymous, we encourage them to submit under a pseudonym.

Bug Bounty

Some Security Teams may offer monetary rewards for vulnerability disclosure. Not all Security Teams offer monetary rewards, and the decision to grant a reward is entirely at their discretion. The amount of each bounty payment will be determined by the Security Team. Bounty payments are subject to the following eligibility requirements:

  • Because we're based in the United States, we aren't able to pay bounties to residents or those who report vulnerabilities from a country against which the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC).
  • Minors are welcome to participate in the program. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13, so you will need to claim your bounties through your parent or legal guardian if you are 12 or younger.
  • All payments will be made in U.S. dollars (USD) and will comply with local laws, regulations and ethics rules. You are responsible for the tax consequences of any bounty you receive, as determined by the laws of your country.
  • It is your sole responsibility to comply with any policies your employer may have that would affect your eligibility to participate in this bounty program.
Definitions
Security Team:
A team of individuals who are responsible for addressing security issues found in a product or service. Depending on the circumstances, this might be a formal security team from an organization, a group of volunteers on an open source project, or an independent panel of volunteers (such as the Internet Bug Bounty).
Finder:
Also known as hackers. Anyone who has investigated a potential security issue in some form of technology, including academic security researchers, software engineers, system administrators, and even casual technologists.
Report:
A Finder's description of a potential security vulnerability in a particular product or service. On HackerOne, Reports always start out as non-public submissions to the appropriate Security Team.
Vulnerability:
A software bug that would allow an attacker to perform an action in violation of an expressed security policy. A bug that enables escalated access or privilege is a vulnerability. Design flaws and failures to adhere to security best practices may qualify as vulnerabilities. Weaknesses exploited by viruses, malicious code, and social engineering are not considered vulnerabilities unless the Security Team says otherwise in the program's policy.
Programs:
Security Teams may publish a Program and Program Policy designed to guide security research into a particular service or product. If this program is private, your participation is entirely optional and subject to non-disclosure by default.

Contact

HackerOne is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at support@hackerone.com or follow us on Twitter @hacker0x01.

Changes to These Guidelines

We may revise these guidelines from time to time. The current version is 1.2, updated on July 29, 2019 will always be at https://www.hackerone.com/disclosure-guidelines. If we make changes that we believe will substantially alter your rights, we will email you and prominently display a notice on our site 7 days before we make those changes.