HackerOne strives to be a safe and transparent environment for security vulnerability disclosure.
1. The Information We Collect
We collect some information from you to create an account that you can use to participate on the site, to make sure HackerOne works properly, and to keep users safe and secure on our site.
We also collect information to make sure HackerOne works properly and to improve user experience. This may include using your information for analytical purposes.
Below is a more detailed explanation of the information we collect and use.
1.1. Information We Collect Directly From You
When you create an account with HackerOne, you are required to provide your name, username, password, and email address. HackerOne stores this information to help identify you when you log in and help you communicate with other users. If you prefer, your name may be a pseudonym instead of a legal name.
Once you've registered with HackerOne, you create a user profile where you post information to help you communicate with other HackerOne users. Your profile includes your name, username, and user identification number. You can also choose to add a profile picture, your city and state, mobile phone, and any other information you like in the "About" field.
Your profile information on HackerOne is public information, except your email address and mobile phone number. Public information is exactly what it sounds like: anyone, including search engines and people who are not users of HackerOne, will be able to see it.
In addition to personal information, we collect any Vulnerability Information and Content that you submit, post, or display on the Services.
1.2. Information We Automatically Collect
We receive some information automatically when you visit HackerOne. This includes information about the device, browser, and operating system you use when accessing our site, your IP address, the website that referred you to HackerOne, which pages you request and visit, and the date and time of each request you make to HackerOne. If you visit HackerOne when you are logged into your account, we also collect the user identification number we assign you when you open your account.
We retain access logs for 180 days, and then delete them.
When you log in to your account, HackerOne will place a cookie for the purpose of creating the session and knowing when you're logged in. The cookie contains an encrypted user identifier.
HackerOne sometimes partners with third-party services who may use various tracking technologies to provide certain services or features, including targeted online marketing. These technologies allow a partner to recognize your computer or mobile device each time you visit HackerOne, but do not allow access to Your Information from HackerOne. For a list of current partners, please contact us at firstname.lastname@example.org.
Most browsers include an option to clear existing cookies or reject new ones. If you prefer not to use any cookies, you can also opt out in some browsers by turning on "Do Not Track" or visit https://www.aboutads.info/choices to opt out directly. However, if you reject new cookies, portions of HackerOne will not function as intended. We currently do not support Do Not Track browser settings.
2. How We Use or Disclose Your Information
We may use Your Information when needed to keep the site running and prevent abuse. Your Information is used internally only where necessary to provide our Services. In addition, if we employ other companies and people to perform tasks on our behalf, we may share Your Information with them as needed to provide products or services to you. For example, we may use a payment processing company to receive and process your payments for us. Unless we tell you differently, our agents do not have any right to use any personal information we share with them beyond what is necessary to assist us.
We will only share Your Information (including Vulnerability Information) with your consent, and after letting you know what information will be shared and with whom, unless it is otherwise permitted in this policy. We do not sell Your Information to any third party.
We may disclose Your Information if we believe it is reasonably necessary to comply with a law, regulation, or valid legal process. If we are going to release Your Information, our policy is to provide you with notice unless we are prohibited from doing so by law or court order (e.g., an order under 18 U.S.C. § 2705(b)).
In addition, we may disclose Your Information without providing you with prior notice if we believe it's necessary to prevent imminent and serious bodily harm to a person.
3. Account Disabling
You may choose to disable your HackerOne account at any time. This means your user profile will no longer be visible on our site. However, public reports and associated information that you've submitted will still be available on HackerOne. For this reason, users can't entirely delete their accounts.
4. Data Security
HackerOne will work to secure information submitted to us by our users. We use encryption (HTTPS/TLS) to protect data transmitted to and from our site. However, no data transmission over the internet is completely secure, so we cannot guarantee the absolute security of this data. You use the Service at your own risk, and are responsible for taking reasonable measures to secure your account (such as keeping your password secret).
5. Children Under 13
We welcome minors to submit reports to HackerOne. However, the Children's Online Privacy Protection Act restricts our ability to collect personal information from children under 13.
HackerOne is not directed to people 12 and younger. If you are under 13 and want to submit a report to us, please ask your parent or guardian to submit it for you. If we become aware that we have collected personal information from a child under 13, we will delete that information.
6. Changes to This Policy