HackerOne strives to be a safe and transparent environment for security vulnerability disclosure. Our site is currently in beta, and we are working to improve it.
We want to make sure you understand what personal information we collect from our users and why. We also want you to know about our practices so that you can make good decisions about how you use HackerOne. This policy explains what information we collect about you and what we do with it.
1. The Information We Collect
We collect some personal information from you to create an account that you can use to participate on the site, to make sure HackerOne works properly, and to keep users safe and secure on our site.
We also collect personal information to make sure HackerOne works properly and to improve user experience. This may include using your information for analytical purposes.
Below is a more detailed explanation of the information we collect and use.
1.1. Information We Collect Directly From You
When you create an account with HackerOne, you are required to provide your name, username, password, and email address. HackerOne stores this information to help identify you when you log in and help you communicate with other users. If you prefer, your name may be a pseudonym instead of a legal name.
Once you've registered with HackerOne, you create a user profile where you post information to help you communicate with other HackerOne users. Your profile includes your name, username, and user identification number. You can also choose to add a profile picture, your city and state, mobile phone, and any other information you like in the "About" field.
Your profile information on HackerOne is public information, except your email address and mobile phone number. Public information is exactly what it sounds like: anyone, including search engines and people who are not users of HackerOne, will be able to see it.
1.2. Information We Automatically Collect
We receive some information automatically when you visit HackerOne. This includes information about the device, browser, and operating system you use when accessing our site, your IP address, the website that referred you to HackerOne, which pages you request and visit, and the date and time of each request you make to HackerOne. If you visit HackerOne when you are logged into your account, we also collect the user identification number we assign you when you open your account.
We retain access logs for 180 days, and then delete them.
Cookies are small data files placed on your computer by websites you visit in order to help them remember certain information about you.
When you log in to your account, HackerOne will place a cookie for the purpose of creating the session and knowing when you're logged in. The cookie contains an encrypted user identifier.
Most browsers include an option to clear existing cookies or reject new ones. However, if you reject new cookies, portions of HackerOne will not function as intended.
2. How We Use or Disclose Your Information
We may use your personal information when needed to keep the site running and prevent abuse. Your information is used internally only where necessary to provide our services.
We will only share your personal data with your consent, and after letting you know what information will be shared and with whom, unless it is otherwise permitted in this policy. We do not sell any information collected about our users to any third party.
We may disclose your information if we believe it is reasonably necessary to comply with a law, regulation, or valid legal process. If we are going to release your information, our policy is to provide you with notice unless we are prohibited from doing so by law or court order (e.g., an order under 18 U.S.C. § 2705(b)).
We may disclose your information without providing you with prior notice if we believe it's necessary to prevent imminent and serious bodily harm to a person.
3. Account Disabling
You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible on our site. However, public Bug Reports and associated information that you've submitted will still be available on HackerOne. For this reason, users can't entirely delete their accounts.
4. Data Security
HackerOne will work to secure information submitted to us by our users. We use encryption (HTTPS/TLS) to protect data transmitted to and from our site. However, no data transmission over the internet is completely secure, so we cannot guarantee the absolute security of this data. You use the service at your own risk, and are responsible for taking reasonable measures to secure your account (such as keeping your password secret).
5. Children Under 13
We welcome minors to submit reports to HackerOne. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13.
HackerOne is not directed to people 12 and younger. If you are under 13 and want to submit a Bug Report to us, please ask your parent or guardian to submit it for you. If we become aware that we have collected personal information from a child under 13, we will delete that information.
6. Changes to This Policy
HackerOne welcomes questions, concerns, and feedback about this policy. If you have suggestions for us, feel free to let us know at firstname.lastname@example.org.