[{"id":3772912,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $1,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n### ⚠️ Eligibility\n\nTo qualify for a DoS reward, findings must demonstrate measurable degradation of HackerOne's servers or infrastructure (e.g. increased response times, service unavailability, or resource exhaustion on our systems). \n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}","{\"category\":\"Integration Retroactive Sync\",\"details\":\"When integrations (Linear, Slack, Jira, etc.) are re-enabled after being disabled, all activities from the disabled period sync retroactively. This is by design to maintain\\ndata consistency.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}"],"timestamp":"2026-04-21T06:22:42.597Z"},{"id":3772845,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $1,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n### ⚠️ Eligibility\n\nTo qualify for a DoS reward, findings must demonstrate measurable degradation of HackerOne's servers or infrastructure (e.g. increased response times, service unavailability, or resource exhaustion on our systems). \n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}","{\"category\":\"Integration Retroactive Sync\",\"details\":\"When integrations (Linear, Slack, Jira, etc.) are re-enabled after being disabled, all activities from the disabled period sync retroactively. This is by design to maintain\\ndata consistency.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of thisendpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}"],"timestamp":"2026-04-20T11:15:42.927Z"},{"id":3772844,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $1,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n### ⚠️ Eligibility\n\nTo qualify for a DoS reward, findings must demonstrate measurable degradation of HackerOne's servers or infrastructure (e.g. increased response times, service unavailability, or resource exhaustion on our systems). \n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}","{\"category\":\"Integration Retroactive Sync\",\"details\":\"When integrations (Linear, Slack, Jira, etc.) are re-enabled after being disabled, all activities from the disabled period sync retroactively. This is by design to maintain\\ndata consistency.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of thisendpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}"],"timestamp":"2026-04-20T11:14:53.288Z"},{"id":3772843,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $1,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n### ⚠️ Eligibility\n\nTo qualify for a DoS reward, findings must demonstrate measurable degradation of HackerOne's servers or infrastructure (e.g. increased response times, service unavailability, or resource exhaustion on our systems). \n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}","{\"category\":\"Integration Retroactive Sync\",\"details\":\"When integrations (Linear, Slack, Jira, etc.) are re-enabled after being disabled, all activities from the disabled period sync retroactively. This is by design to maintain\\ndata consistency.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of thisendpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}"],"timestamp":"2026-04-20T11:00:40.953Z"},{"id":3772842,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $1,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n### ⚠️ Eligibility\n\nTo qualify for a DoS reward, findings must demonstrate measurable degradation of HackerOne's servers or infrastructure (e.g. increased response times, service unavailability, or resource exhaustion on our systems). \n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}","{\"category\":\"Integration Retroactive Sync\",\"details\":\"When integrations (Linear, Slack, Jira, etc.) are re-enabled after being disabled, all activities from the disabled period sync retroactively. This is by design to maintain\\ndata consistency.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of thisendpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of this endpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}"],"timestamp":"2026-04-20T10:50:25.208Z"},{"id":3772711,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $1,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n### ⚠️ Eligibility\n\nTo qualify for a DoS reward, findings must demonstrate measurable degradation of HackerOne's servers or infrastructure (e.g. increased response times, service unavailability, or resource exhaustion on our systems). \n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}","{\"category\":\"Integration Retroactive Sync\",\"details\":\"When integrations (Linear, Slack, Jira, etc.) are re-enabled after being disabled, all activities from the disabled period sync retroactively. This is by design to maintain\\ndata consistency.\"}","{\"category\":\"Public Sitemap Enumeration (hackerone.com/sitemap)\",\"details\":\"The sitemap at hackerone.com/sitemap is publicly available by design for SEO purposes. It lists public program pages and profiles that are already accessible. Reports about enumerability of thisendpoint are considered informative, as the data is public and non-sensitive. This is intentional.\"}"],"timestamp":"2026-04-16T14:40:23.353Z"},{"id":3772521,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $1,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n### ⚠️ Eligibility\n\nTo qualify for a DoS reward, findings must demonstrate measurable degradation of HackerOne's servers or infrastructure (e.g. increased response times, service unavailability, or resource exhaustion on our systems). \n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}","{\"category\":\"Integration Retroactive Sync\",\"details\":\"When integrations (Linear, Slack, Jira, etc.) are re-enabled after being disabled, all activities from the disabled period sync retroactively. This is by design to maintain\\ndata consistency.\"}"],"timestamp":"2026-04-13T07:10:50.724Z"},{"id":3771436,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $2,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n### ⚠️ Eligibility\n\nTo qualify for a DoS reward, findings must demonstrate measurable degradation of HackerOne's servers or infrastructure (e.g. increased response times, service unavailability, or resource exhaustion on our systems). \n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}","{\"category\":\"Integration Retroactive Sync\",\"details\":\"When integrations (Linear, Slack, Jira, etc.) are re-enabled after being disabled, all activities from the disabled period sync retroactively. This is by design to maintain\\ndata consistency.\"}"],"timestamp":"2026-03-20T15:36:01.099Z"},{"id":3768933,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $2,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}","{\"category\":\"Integration Retroactive Sync\",\"details\":\"When integrations (Linear, Slack, Jira, etc.) are re-enabled after being disabled, all activities from the disabled period sync retroactively. This is by design to maintain\\ndata consistency.\"}"],"timestamp":"2026-01-29T12:10:15.806Z"},{"id":3768551,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $2,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":true,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}"],"timestamp":"2026-01-20T21:14:14.615Z"},{"id":3767007,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $2,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}"],"timestamp":"2025-12-04T23:00:17.109Z"},{"id":3766796,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $2,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Handling Redacted Data Exposed in Hacktivity\",\"details\":\"Data that is redacted in a report but still visible in the Hacktivity section will be classified as low severity, with a $100 bounty. However, if any sensitive information (e.g., customer data) is identified, the report will be evaluated on a case-by-case basis.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Private programs on HackerOne, as disclosed through reports, GraphQL queries, or their responses, do not impact the CIA triad and will be closed as informative. If sensitive data related to a program on HackerOne is discovered, we encourage you to report it. Each case will be reviewed individually.\"}"],"timestamp":"2025-12-01T21:43:33.038Z"},{"id":3766795,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $2,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Handling Redacted Data Exposed in Hacktivity\",\"details\":\"Data that is redacted in a report but still visible in the Hacktivity section will be classified as low severity, with a $100 bounty. However, if any sensitive information (e.g., customer data) is identified, the report will be evaluated on a case-by-case basis.\"}","{\"category\":\"Disclosure Contained Hacker’s Reports Inbox or Comments\",\"details\":\"If a hacker’s inbox appears in a public report or video, it’s not a security issue. Hackers and customers should avoid sharing sensitive info. If you spot any issues in our disclosed reports, you're welcome to let us know — we’ll mark it resolved, but it's not eligible for a reward.\"}"],"timestamp":"2025-12-01T21:40:10.378Z"},{"id":3764545,"new_policy":"# Must Read\n\n## Header Requirements\n\nSet a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.\n\n| **Identifier Type** | **Format** | **Example** |\n|----------------------|------------|--------------|\n| Your Username | `X-Bug-Bounty:HackerOne-\u003cusername\u003e` | `X-Bug-Bounty:HackerOne-username` |\n| Tool Identifier | `X-Bug-Bounty:\u003ctoolname\u003e` | `X-Bug-Bounty:BurpSuitePro` |\n\n--- \n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n\n--- \n\n## DoS Testing Policy\n\n### 🚀 Rules Overview\n\n- Single request, single user, single IP only \n- No automated tools or high-volume attacks \n- Test **Mon–Thu**, **off-peak hours only** (9pm UTC – 6am UTC) \n- Stop immediately if service degrades to avoid risk to bounty eligibility \n- Mention your **IP** and **timezone** when the attack was conducted (for internal audit) \n- Cache poisoning DoS will be evaluated on a **case-by-case** basis based on impact \n\n### 💰 Reward\n\n- **DoS (Medium Severity):** $2,500 USD \n ==Reports that include prohibited actions will **not** be eligible for a reward.==\n\n---\n\n## Testing Guidelines\n\n### ✅ Allowed\n\n- Single-user realistic actions only \n- Gradual testing (start with 1–2 requests) \n- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP) \n- Immediate stop when impact is detected \n\n### ❌ Prohibited\n\n- DDoS or multiple IPs \n- Automated tools (scripts, bots, etc.) \n- Resource exhaustion attacks \n- Data corruption or manipulation \n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"PII and Private Program Disclosure in HackerOne Reports\",\"details\":\"HackerOne discloses many reports on its own program, and sometimes these disclosures may reveal PII or the existence of private programs. Reports about these situations will be awarded a low bounty without a CVSS score, which aligns with the business impact.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Handling Redacted Data Exposed in Hacktivity\",\"details\":\"Data that is redacted in a report but still visible in the Hacktivity section will be classified as low severity, with a $100 bounty. However, if any sensitive information (e.g., customer data) is identified, the report will be evaluated on a case-by-case basis.\"}"],"timestamp":"2025-10-13T15:21:21.530Z"},{"id":3764513,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"PII and Private Program Disclosure in HackerOne Reports\",\"details\":\"HackerOne discloses many reports on its own program, and sometimes these disclosures may reveal PII or the existence of private programs. Reports about these situations will be awarded a low bounty without a CVSS score, which aligns with the business impact.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}","{\"category\":\"Handling Redacted Data Exposed in Hacktivity\",\"details\":\"Data that is redacted in a report but still visible in the Hacktivity section will be classified as low severity, with a $100 bounty. However, if any sensitive information (e.g., customer data) is identified, the report will be evaluated on a case-by-case basis.\"}"],"timestamp":"2025-10-11T06:04:06.738Z"},{"id":3758535,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"PII and Private Program Disclosure in HackerOne Reports\",\"details\":\"HackerOne discloses many reports on its own program, and sometimes these disclosures may reveal PII or the existence of private programs. Reports about these situations will be awarded a low bounty without a CVSS score, which aligns with the business impact.\"}","{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as n/a, and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}"],"timestamp":"2025-07-06T21:57:36.183Z"},{"id":3757162,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":"Standard","introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":["{\"category\":\"Handling Customer/Organization Information Disclosure\",\"details\":\"Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program.\"}","{\"category\":\"Misleading Information from Hai AI Copilot\",\"details\":\"Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\"}","{\"category\":\"Host Header Validation and URL Path Issues\",\"details\":\"Reports which target a lack of host header validation or that exploit multiple forward slashes at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\"}","{\"category\":\"Enumeration of Claimed User and Program Handles\",\"details\":\"Reports which enumerate already claimed user and program handles. This reveals no sensitive information, regardless of whether the associated profiles are public or private.\"}","{\"category\":\"Invitation Expiration Date Issues\",\"details\":\"Reports relating to invitation expiration dates.\"}","{\"category\":\"Gaming Badges Functionality\",\"details\":\"The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\"}","{\"category\":\"Disclosure of Private Programs\",\"details\":\"Most reports which disclose the existence of private programs, for example, the usage of SAML.\"}","{\"category\":\"Viewing Non-Top 100 User Ranks\",\"details\":\"The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\"}","{\"category\":\"PII and Private Program Disclosure in HackerOne Reports\",\"details\":\"HackerOne discloses many reports on its own program, and sometimes these disclosures may reveal PII or the existence of private programs. Reports about these situations will be awarded a low bounty without a CVSS score, which aligns with the business impact.\"}","{\"category\":\"Single or Many Username Information Disclosure\",\"details\":\"Usernames and email aliases are considered public information and would need to be paired with another attack to be exploited.\"}"],"timestamp":"2025-06-09T20:19:45.452Z"},{"id":3732258,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-15T11:28:23.199Z"},{"id":3732257,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-15T11:27:48.249Z"},{"id":3732255,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-15T11:21:53.699Z"},{"id":3730932,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n- **Scope Exclusions:** The following categories of reports are considered out of scope for our program and will not be rewarded: \n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program.\n - Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Most reports which disclose the existence of private programs, for example, the usage of SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure that is limited to just a single or handful of usernames. Usernames are considered public information and would need to be paired with another attack to be exploited ([example](https://hackerone.com/reports/2149766)). Directory attacks may still be interesting to us and will be evaluated case-by-case.\n - HackerOne discloses many reports on its own program, and sometimes these disclosures may reveal PII or the existence of private programs. Reports about these situations will be awarded a low bounty without a CVSS score, which aligns with the business impact.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-25T18:35:51.107Z"},{"id":3730931,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n- **Scope Exclusions:** The following categories of reports are considered out of scope for our program and will not be rewarded: \n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program.\n - Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Most reports which disclose the existence of private programs, for example, the usage of SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure that is limited to just a single or handful of usernames. Usernames are considered public information and would need to be paired with another attack to be exploited ([example](https://hackerone.com/reports/2149766)). Directory attacks may still be interesting to us and will be evaluated case-by-case.\n- HackerOne discloses many reports on its own program, and sometimes these disclosures may reveal PII or the existence of private programs. Reports about these situations will be awarded a low bounty without a CVSS score, which aligns with the business impact.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-25T18:35:02.018Z"},{"id":3730926,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n- **Scope Exclusions:** The following categories of reports are considered out of scope for our program and will not be rewarded: \n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program.\n - Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Most reports which disclose the existence of private programs, for example, the usage of SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure that is limited to just a single or handful of usernames. Usernames are considered public information and would need to be paired with another attack to be exploited ([example](https://hackerone.com/reports/2149766)). Directory attacks may still be interesting to us and will be evaluated case-by-case.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-25T17:25:46.416Z"},{"id":3730925,"new_policy":"# Must Read\n\n- **Scope Inclusions:** Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.\n- **Scope Exclusions:** The following categories of reports are considered out of scope for our program and will not be rewarded: \n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program.\n - Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Most reports which disclose the existence of private programs, for example, the usage of SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure that is limited to just a single or handful of usernames. Usernames are considered public information and would need to be paired with another attack to be exploited ([example](https://hackerone.com/reports/2149766)). Directory attacks may still be interesting to us and will be evaluated case-by-case.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-25T17:25:13.855Z"},{"id":3730096,"new_policy":"# Must Read\n\n- **Third-Party Assets:** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n- **Scope Exclusions:** The following categories of reports are considered out of scope for our program and will not be rewarded: \n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n - Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Most reports which disclose the existence of private programs, for example, the usage of SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure that is limited to just a single or handful of usernames. Usernames are considered public information and would need to be paired with another attack to be exploited ([example](https://hackerone.com/reports/2149766)). Directory attacks may still be interesting to us and will be evaluated case-by-case.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Welcome! We’re thrilled that you’re considering helping to make HackerOne even stronger. We’ve always prioritized security, but we know that every technology has its flaws. Your expertise is invaluable in uncovering these bugs. If you find a security issue in our service, we’re eager to collaborate with you to resolve it and ensure you receive fair compensation for your discovery. Happy Hacking!","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-19T10:14:58.238Z"},{"id":3729856,"new_policy":"# Must Read\n\n- **Third-Party Assets:** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n- **Scope Exclusions:** The following categories of reports are considered out of scope for our program and will not be rewarded: \n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n - Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Most reports which disclose the existence of private programs, for example, the usage of SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure that is limited to just a single or handful of usernames. Usernames are considered public information and would need to be paired with another attack to be exploited ([example](https://hackerone.com/reports/2149766)). Directory attacks may still be interesting to us and will be evaluated case-by-case.\n\n# Hint \u0026 Tips\n\n- **Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n- **Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n- **Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-18T19:10:26.476Z"},{"id":3729855,"new_policy":"# Must Read\n\n**Third-Party Assets:** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n**Scope Exclusions:** The following categories of reports are considered out of scope for our program and will not be rewarded: \n- Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n- Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n- Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n- Reports relating to invitation expiration dates.\n- The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n- Most reports which disclose the existence of private programs, for example, the usage of SAML.\n- The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n- Information disclosure that is limited to just a single or handful of usernames. Usernames are considered public information and would need to be paired with another attack to be exploited ([example](https://hackerone.com/reports/2149766)). Directory attacks may still be interesting to us and will be evaluated case-by-case.\n\n\n# Hint \u0026 Tips\n\n**Sandboxes:** HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n**Existence of Invite-Only Programs:** HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ------------- | -------------- | -- | ------- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=` |\n\n**Other Object Identifiers for Proof of Concept:** You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ---------- | ----- | -- | ---- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-18T19:01:20.731Z"},{"id":3729852,"new_policy":"## HackerOne program sandbox\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n## Scope Exclusions\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | Program ID | Organization ID | Node ID |\n| ----- | ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | 34589 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | 48409 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | 1 |`Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | 34586 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | 34588 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | 48408 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-18T17:50:19.320Z"},{"id":3729648,"new_policy":"## HackerOne program sandbox\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n## Providing Evidence\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n## Scope Exclusions\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | Program ID | Organization ID | Node ID |\n| ----- | ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | 34589 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | 48409 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | 1 |`Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | 34586 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | 34588 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | 48408 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-17T11:55:15.289Z"},{"id":3729647,"new_policy":"## HackerOne program sandbox\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n## Providing Evidence\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n## Scope Exclusions\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-17T11:50:03.395Z"},{"id":3729623,"new_policy":"## HackerOne program sandbox\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n## Providing Evidence\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n## Scope Exclusions\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-17T08:01:43.138Z"},{"id":3729622,"new_policy":"HackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-17T07:43:00.938Z"},{"id":3729621,"new_policy":"HackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-17T07:40:29.347Z"},{"id":3729489,"new_policy":"***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-14T06:33:40.661Z"},{"id":3729317,"new_policy":"***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-12T07:36:40.071Z"},{"id":3729316,"new_policy":"***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-12T07:34:36.754Z"},{"id":3729314,"new_policy":"***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-12T07:17:45.674Z"},{"id":3729313,"new_policy":"***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-12T07:14:03.357Z"},{"id":3729308,"new_policy":"***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - Reports which disclose the existence of private programs that are using SAML.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-12T06:49:16.513Z"},{"id":3727304,"new_policy":"***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n- Manipulating Hai, our AI copilot, to produce misleading and false information. We continuously work to improve the accuracy of Hai’s responses but right now we accept that it will let us down sometimes.\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-23T18:37:09.924Z"},{"id":3726429,"new_policy":"***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-16T19:20:41.633Z"},{"id":3725894,"new_policy":"***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-13T17:28:45.172Z"},{"id":3724841,"new_policy":"***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-03T11:14:30.038Z"},{"id":3724834,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-03T11:05:53.180Z"},{"id":3724833,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.","platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-03T11:05:01.791Z"},{"id":3722891,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n- **Understand Permissions.** For a clearer understanding of your capabilities and limitations, it's important to comprehend how permissions are set on our platform. To get an overview, check out [Permissions on HackerOne](https://docs.hackerone.com/en/articles/9095492-permissions).\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-05T11:46:54.509Z"},{"id":3722603,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-05T07:51:19.766Z"},{"id":3722482,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-04T08:36:41.629Z"},{"id":3709449,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n\n# Transparent Decision-Making\n\nHackerOne maintains a commitment to the continuous review and evolution of its security approach. It's important to note that decisions on reports may vary over time as our strategies adapt to emerging security landscapes. While a decision on a past report may not necessarily dictate an identical outcome in the future, HackerOne is dedicated to transparency. We will make a best effort to communicate decisions clearly, preemptively explaining any policy adjustments to ensure understanding and collaboration with our valued community of hackers.\n\nWe will be closely following the CVSS guidelines when determining ‘Confidentiality’ and ‘Integrity’ metrics. The detailed guide can be found on page 10 here: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf\n\n## Confidentiality\n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Confidentiality impact there must be a total loss of confidentiality of a HackerOne-owned asset OR the data that is disclosed must be considered highly sensitive. \n\nAs an example, a vulnerability that discloses information about a private program (e.g the launch state, feature flags, etc) will be considered `C:L`, whereas a vulnerability that discloses the information about a vulnerability report to someone that is not authorized to view it would be considered `C:H`. \n\nLikewise when evaluating a report the type of data disclosed AND the quantity of exposure will be taken into account. For example, a vulnerability that discloses 5 emails will likely be considered `C:L` but a vulnerability that discloses 5 emails AND IP addresses associated with each email will be considered `C:H`.\n\n## Integrity \n\nPer the CVSS guidance, for a vulnerability to be considered to have a ‘High’ Integrity impact there must be a total loss of integrity for the HackerOne-owned asset OR the data that can be modified has a serious consequence to the impacted component. \n\nAs an example, a vulnerability that allows an attacker to edit non-sensitive data for a hacker profile (e.g Badges, Certifications, etc) would be considered `I:L` whereas a vulnerability that would allow an attacker to edit sensitive data on a hacker profile (e.g. Clear status) would be considered `I:H`.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-18T17:15:30.828Z"},{"id":3705971,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer/organization on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Information disclosure that is limited to just a a single or handful of username(s). Usernames are considered public information and would need to be paired with another attack to be exploited (https://hackerone.com/reports/2149766) - directory attacks may still be interesting to us and will be evaluated case-by-case.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-27T10:13:00.255Z"},{"id":3705920,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n- Bypassing the new user enforced report limits by rapidly sending requests in short succession (https://hackerone.com/reports/2206703, https://hackerone.com/reports/152747) - this is an accepted risk.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-10-26T11:51:07.346Z"},{"id":3689857,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n - **Third party assets.** Our bug bounty program does not cover third-party assets, as it only applies to software under our control. However, we value efforts to enhance our security and may grant a bonus of 20% for reports related to these assets. The issue will be marked as Informative and closed accordingly.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-23T17:45:36.999Z"},{"id":3689726,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n***💬 Feedback / Suggestions:***\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n***💬 Important for reporting functional bugs:*** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\n\n# Safe Harbor\n\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n - Information disclosure caused by a customer on HackerOne; these reports will be closed as informative and we encourage you to report the information disclosure to the relevant program to adhere to our Code of Conduct.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n## Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n## Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-06-21T14:03:50.037Z"},{"id":3687574,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n**💬 Important for reporting functional bugs:** if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n### Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\nSafe Harbor\n============\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-12T08:04:19.275Z"},{"id":3687413,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com).\n\n**:speech_balloon:Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n### Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\nSafe Harbor\n============\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-05-10T06:02:07.796Z"},{"id":3681770,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n### Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\nSafe Harbor\n============\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-01-09T16:16:20.455Z"},{"id":3681468,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**🎄Important holiday notice**: we have a reduced number of available staff for our bug bounty program from December 22th through January 3rd. Responses may take longer than usual. Thanks for everybody's continued contributions and we welcome you to continue to submit security vulnerabilities to us over the holidays. Happy holidays and happy hacking!\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n### Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\nSafe Harbor\n============\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-12-21T19:41:40.384Z"},{"id":3679816,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n### Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\nSafe Harbor\n============\n[Gold Standard Safe Harbor](https://hackerone.com/security/safe_harbor) applies. Please see the [Safe Harbor FAQ](https://docs.hackerone.com/programs/safe-harbor-faq.html) for more information.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-10T19:08:35.542Z"},{"id":3678417,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n### Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\nConsequences of Complying with This Policy\n===============\nSee [Safe Harbor Gold Standard](/security/gold_standard_rules).\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-10-11T13:33:43.422Z"},{"id":3669996,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\n### Other object identifiers that may be used for a proof of concept\nYou may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.\n\n| GraphQL ID | Class | ID | Note |\n| ----- | ----- | ----- | ----- |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ==` | `StructuredScope` | 58579 | An asset belonging to @security-test-sandbox |\n| `Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg=` | `StructuredScope` | 100578 | An asset belonging to @security-test-invite-only |\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-04-19T16:40:27.352Z"},{"id":3664183,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-01-11T22:38:02.630Z"},{"id":3662993,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n+**🎄Important holiday notice**: we have a reduced number of available staff for our bug bounty program from December 20th through January 3rd. Responses may take longer than usual. Thanks for everybody's continued contributions and we welcome you to continue to submit security vulnerabilities to us over the holidays. Happy holidays and happy hacking!\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-14T13:01:42.828Z"},{"id":3662947,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n+**🎄Important holiday notice**: we have a reduced number of available staff for our bug bounty program from December 20th through January 3th. Responses may take longer than usual. Thanks for everybody's continued contributions and we welcome you to continue to submit security vulnerabilities to us over the holidays. Happy holidays and happy hacking!\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-13T17:08:12.101Z"},{"id":3662247,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-11-29T15:25:08.144Z"},{"id":3647450,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-01-04T16:22:11.744Z"},{"id":3646995,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**🎄Important holiday notice**: we have a reduced number of available staff for our bug bounty program from December 18th through January 4th. Responses may take longer than usual. Thanks for everybody's continued contributions and we welcome you to continue to submit security vulnerabilities to us over the holidays. Happy holidays and happy hacking!\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-12-17T22:27:22.455Z"},{"id":3640655,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-29T17:14:13.498Z"},{"id":3640654,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n\nflag{read_the_freaking_scope}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-29T17:13:55.196Z"},{"id":3640002,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle | ID | Node ID |\n| ----- | ----- | ----- | ----- |\n| Sandbox | @security-test-sandbox | 49806 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY=` |\n| Invite-only | @security-test-invite-only | 49807 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc=` |\n| Public | @security | 13 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM=` |\n| External program | @security-test-ep | 49803 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM=` |\n| External program + sandbox | @security-test-ep-sandbox | 49804 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ=` |\n| External program + invite-only | @security-test-ep-invite-only | 49805 | `Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU=`\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-22T23:13:50.314Z"},{"id":3639926,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\n# Common false positives\nFalse positives will be closed as *Not Applicable*. This section will describe tactics to make sure the behavior you're observing isn't a false positive.\n\n### Existence of invite-only programs\nHackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is **only** a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is **not** a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.\n\n| Program state | Program handle |\n| ----- | ----- |\n| Sandbox | @security-test-sandbox |\n| Invite-only | @security-test-invite-only |\n| Public | @security |\n| External program | @security-test-ep |\n| External program + sandbox | @security-test-ep-sandbox |\n| External program + invite-only | @security-test-ep-invite-only |\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-21T18:33:42.081Z"},{"id":3639814,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-20T22:06:16.903Z"},{"id":3639321,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox. \n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a launched private HackerOne program (not a \"sandboxed\" or demo program) will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-07-07T18:51:18.117Z"},{"id":3638501,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox. \n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n - Vulnerabilities that disclose the existence of a private HackerOne program will be considered Low severity, whereas previously they would be considered Medium severity. Depending on the information that is disclosed, the team may increase the severity.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-26T18:20:39.756Z"},{"id":3637289,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox. \n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - **Temporarily out of scope as of June 12, 2020**: any vulnerability affecting the availability of HackerOne's systems (e.g. Denial of Service vulnerabilities).\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-06-12T17:27:59.614Z"},{"id":3634567,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox. \n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-04-03T17:48:41.586Z"},{"id":3634074,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nHackerOne program sandbox\n===============\nHackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go [here](https://hackerone.com/teams/new/sandbox). You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 3 programs in the sandbox. It is currently not possible to invite program members to new programs in the sandbox. \n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-26T17:14:04.139Z"},{"id":3633958,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n - The ability to see a user's rank when they're not ranked in the top 100. The rank is expected to be accessible by everyone.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-25T22:44:10.307Z"},{"id":3633861,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nBest Practices or Hardening\n===============\n\nOn occasion you may discover something that is not a vulnerability but we will make appropriate code changes for hardening or to implement some best practices. In these situations, when HackerOne decides to put a change in place we will resolve the report giving the reporter credit, but will not award a bounty. In the case where we do not make a change, our practice will be to close it as Informative.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-25T00:58:55.792Z"},{"id":3632473,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident). This page is only available from the compromised HackerOne employee account.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-03-08T20:12:39.649Z"},{"id":3627521,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nProviding Evidence\n===============\n\nIf you are unsure if you will access others information, please file a report and ask if you should proceed. In a situation where you have an account takeover of a HackerOne employee, please notify our team by [using this form](/report-a-security-incident).\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-06T22:31:59.459Z"},{"id":3627520,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2020-01-06T22:29:45.249Z"},{"id":3626493,"new_policy":"**🎄Important holiday notice**: we have a reduced number of available staff for our bug bounty program from December 20th through January 6th. Responses may take longer than usual. Thanks for everybody's continued contributions and we welcome you to continue to submit security vulnerabilities to us over the holidays. Happy holidays and happy hacking!\n\n----\n\nWe've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-19T08:04:14.454Z"},{"id":3626492,"new_policy":"**🎄Important holiday notice**: we have a reduced number of available staff for our bug bounty program from December 20st through January 6th. Responses may take longer than usual. Thanks for everybody's continued contributions and we welcome you to continue to submit security vulnerabilities to us over the holidays. Happy holidays and happy hacking!\n\n----\n\nWe've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-19T08:03:56.132Z"},{"id":3626441,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne is a community that holds a lot of information, and we count on you to help keep everyone safe. Limit testing to accounts you own and do not impact other users on HackerOne. If you do encounter any user data or program data, including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-12-18T18:21:01.724Z"},{"id":3624684,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nEligibility and Responsible Disclosure\n===============\nWe encourage and respect the hacker community and ask that you act in good faith when working with us. Please abide by the following when participating in our program:\n\n - **Follow the Vulnerability Disclosure Guidelines.** As our platform lays out, please read and follow the [Vulnerability Disclosure Guidelines](https://www.hackerone.com/disclosure-guidelines).\n - **Respect all our users' privacy.** HackerOne holds a lot of information, and we count on you to help keep it safe. If you encounter any user data or program data including but not limited to usernames, passwords, or vulnerability information, please report it to us immediately and stop testing right away.\n - **Bend, but not break.** Do not damage or leave a system in a more vulnerable state that when you uncovered it.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-27T05:28:19.825Z"},{"id":3624683,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-27T05:24:39.134Z"},{"id":3623808,"new_policy":"We've built HackerOne from the ground up with [security as our top priority](https://www.hackerone.com/trust). Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\nWe're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please [let us know](https://support.hackerone.com/hc/en-us/requests/new).\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n===============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nLanguages\n===============\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇹🇷 Turkish\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n===============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\nConsequences of Complying with This Policy\n===============\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program, and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-16T00:12:52.936Z"},{"id":3622117,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n==============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇹🇷 Turkish\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting methods to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* [Two-factor authentication](https://docs.hackerone.com/programs/two-factor-authentication.html), IP whitelisting, and [SAML](https://docs.hackerone.com/programs/single-sign-on-sso-via-saml.html) are available to further restrict access to accounts.\n* [Role-based access control](https://docs.hackerone.com/programs/groups-and-permissions.html) allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security/stripe), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* We have undergone numerous audits of our own platform, resulting in a SOC 2 Type II audit report, ISO 27001 certification, UK Cyber Essentials certification, and other such validations.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com/security/) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-10-24T16:24:25.007Z"},{"id":3613058,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n==============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting methods to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* [Two-factor authentication](https://docs.hackerone.com/programs/two-factor-authentication.html), IP whitelisting, and [SAML](https://docs.hackerone.com/programs/single-sign-on-sso-via-saml.html) are available to further restrict access to accounts.\n* [Role-based access control](https://docs.hackerone.com/programs/groups-and-permissions.html) allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security/stripe), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* We have undergone numerous audits of our own platform, resulting in a SOC 2 Type II audit report, ISO 27001 certification, UK Cyber Essentials certification, and other such validations.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com/security/) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-06-30T23:09:27.435Z"},{"id":3600568,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n==============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting methods to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* [Two-factor authentication](https://docs.hackerone.com/programs/two-factor-authentication.html), IP whitelisting, and [SAML](https://docs.hackerone.com/programs/single-sign-on-sso-via-saml.html) are available to further restrict access to accounts.\n* [Role-based access control](https://docs.hackerone.com/programs/groups-and-permissions.html) allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security/stripe), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* We have undergone a SOC 2 Type II audit of our own platform.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com/security/) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-01-16T01:37:49.588Z"},{"id":3598055,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**🎄Important holiday notice**: we have a reduced number of available staff for our bug bounty program from December 21st through January 2nd. Responses may take longer than usual. Thanks for everybody's continued contributions and we welcome you to continue to submit security vulnerabilities to us over the holidays. Happy holidays and happy hacking!\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n==============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting methods to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* [Two-factor authentication](https://docs.hackerone.com/programs/two-factor-authentication.html), IP whitelisting, and [SAML](https://docs.hackerone.com/programs/single-sign-on-sso-via-saml.html) are available to further restrict access to accounts.\n* [Role-based access control](https://docs.hackerone.com/programs/groups-and-permissions.html) allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security/stripe), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* We have undergone a SOC 2 Type II audit of our own platform.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com/security/) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-13T18:59:11.489Z"},{"id":3597859,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Helpful reconnaissance data\n==============\nHackerOne is providing everybody with useful information that may help you find more security vulnerabilities in our systems. You can find all the information in [this repository](https://github.com/Hacker0x01/helpful-recon-data). It contains all endpoints on HackerOne.com, our GraphQL schema, and an un-minified version of our JavaScript for easier debugging. We're planning to update the information regularly to give you insight into new features we're building and give you faster access to new attack surface.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting methods to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* [Two-factor authentication](https://docs.hackerone.com/programs/two-factor-authentication.html), IP whitelisting, and [SAML](https://docs.hackerone.com/programs/single-sign-on-sso-via-saml.html) are available to further restrict access to accounts.\n* [Role-based access control](https://docs.hackerone.com/programs/groups-and-permissions.html) allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security/stripe), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* We have undergone a SOC 2 Type II audit of our own platform.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com/security/) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-12-12T21:04:10.039Z"},{"id":3594767,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Research incentive experiment\n==============\nHackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always [publicly disclosed](/security/hacktivity) once confirmed and resolved.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting methods to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* [Two-factor authentication](https://docs.hackerone.com/programs/two-factor-authentication.html), IP whitelisting, and [SAML](https://docs.hackerone.com/programs/single-sign-on-sso-via-saml.html) are available to further restrict access to accounts.\n* [Role-based access control](https://docs.hackerone.com/programs/groups-and-permissions.html) allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security/stripe), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* We have undergone a SOC 2 Type II audit of our own platform.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com/security/) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-11-15T16:50:53.599Z"},{"id":3588737,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Research incentive experiment\n==============\nHackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-09-14T17:04:13.679Z"},{"id":3583787,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Research incentive experiment\n==============\nHackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n🏆 Reputation bonus experiment (ended July 21st 2018 2:00p PDT)\n=================\nHackerOne is running a reputation bonus experiment from June 22nd 2:00p PDT until July 21st 2:00p PDT. We will allocate additional bounty bonuses based on the total reputation earned for reports submitted in that timeframe. Users who are tied will equally split the sum of the affected ranks. Below you can find the leaderboard, the prizes, and currently ranked hackers. You need at least a signal of 3 for the submitted reports to our program in order to be eligible to be ranked. All reports will be triaged and paid out before the winners will be announced the week after July 21st. Prizes will be paid out as a regular bonus on a report you submitted. The leaderboard will be updated regularly.\n\nIn case you're wondering why we're running this experiment: this is one of many ideas that'll give us more insight into the effects of (ongoing) bonus ladders. Our hypothesis is that this will result in better program (re)engagement and could result in overall higher severity of security vulnerabilities. If this experiment is successful, we may offer this to our customers as a product feature.\n\nGet your high / critical vulnerabilities in and earn those dollars!\n\n| Rank | Prize | Reputation | Username | Report |\n|----|----|----|----|----|\n| 1 | $2,500 | 32 | @suresh1c | #374919 |\n| 1 | $2,500 | 32 | @ruvlol | #374737 |\n| 1 | $2,500 | 32 | @kapytein | #380317 |\n| 4 | $500 | 22 | @fransrosen | #381356 |\n| 5 | $350 | 7 | @hackerone_007 | #378122 |\n| 6 | $72 | 2 | @spectator | #382568 (duplicate of #380317) |\n| 6 | $72 | 2 | @flashdisk | #382375 (duplicate of #380317) |\n| 6 | $72 | 2 | @kunal94 | #382335 (duplicate of #380317) |\n| 6 | $72 | 2 | @unknown_person | #381992 (duplicate of #380317) |\n| 6 | $72 | 2 | @ateek | #381953 (duplicate of #380317) |\n| 6 | $72 | 2 | @ragnar | #381736, #381731 (duplicates of #380317) |\n| 6 | $72 | 2 | @harry_mg | #381528 (duplicate of #380317) |\n| 6 | $72 | 2 | @afzalsayed96 | #381638 (duplicate of #380317) |\n| 6 | $72 | 2 | @techguynoob | #381679 (duplicate of #380317) |\n| 6 | $72 | 2 | @zseano | #381719 (duplicate of #380317) |\n| 6 | $72 | 2 | @bhavukjain1 | #381506 (duplicate of #380317) |\n| 6 | $72 | 2 | @sandeep_hodkasia | #381203 (duplicate of #380317) |\n| 6 | $72 | 2 | @reymark_divino | #380909 (duplicate of #380317) |\n| 6 | $72 | 2 | @haxta4ok00 | #380420 (duplicate of #380317) |\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-26T19:29:33.195Z"},{"id":3583785,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🔥 Research incentive experiment\n==============\nHackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n🏆 Reputation bonus experiment (ended July 21st 2018 2:00p PDT)\n=================\nHackerOne is running a reputation bonus experiment from June 22nd 2:00p PDT until July 21st 2:00p PDT. We will allocate additional bounty bonuses based on the total reputation earned for reports submitted in that timeframe. Users who are tied will equally split the sum of the affected ranks. Below you can find the leaderboard, the prizes, and currently ranked hackers. You need at least a signal of 3 for the submitted reports to our program in order to be eligible to be ranked. All reports will be triaged and paid out before the winners will be announced the week after July 21st. Prizes will be paid out as a regular bonus on a report you submitted. The leaderboard will be updated regularly.\n\nIn case you're wondering why we're running this experiment: this is one of many ideas that'll give us more insight into the effects of (ongoing) bonus ladders. Our hypothesis is that this will result in better program (re)engagement and could result in overall higher severity of security vulnerabilities. If this experiment is successful, we may offer this to our customers as a product feature.\n\nGet your high / critical vulnerabilities in and earn those dollars!\n\n| Rank | Prize | Reputation | Username | Report |\n|----|----|----|----|\n| 1 | $2,500 | 32 | @suresh1c | #374919 |\n| 1 | $2,500 | 32 | @ruvlol | #374737 |\n| 1 | $2,500 | 32 | @kapytein | #380317 |\n| 4 | $500 | 22 | @fransrosen | #381356 |\n| 5 | $350 | 7 | @hackerone_007 | #378122 |\n| 6 | $72 | 2 | @spectator | #382568 (duplicate of #380317) |\n| 6 | $72 | 2 | @flashdisk | #382375 (duplicate of #380317) |\n| 6 | $72 | 2 | @kunal94 | #382335 (duplicate of #380317) |\n| 6 | $72 | 2 | @unknown_person | #381992 (duplicate of #380317) |\n| 6 | $72 | 2 | @ateek | #381953 (duplicate of #380317) |\n| 6 | $72 | 2 | @ragnar | #381736, #381731 (duplicates of #380317) |\n| 6 | $72 | 2 | @harry_mg | #381528 (duplicate of #380317) |\n| 6 | $72 | 2 | @afzalsayed96 | #381638 (duplicate of #380317) |\n| 6 | $72 | 2 | @techguynoob | #381679 (duplicate of #380317) |\n| 6 | $72 | 2 | @zseano | #381719 (duplicate of #380317) |\n| 6 | $72 | 2 | @bhavukjain1 | #381506 (duplicate of #380317) |\n| 6 | $72 | 2 | @sandeep_hodkasia | #381203 (duplicate of #380317) |\n| 6 | $72 | 2 | @reymark_divino | #380909 (duplicate of #380317) |\n| 6 | $72 | 2 | @haxta4ok00 | #380420 (duplicate of #380317) |\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-26T19:18:50.222Z"},{"id":3581496,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🏆 Reputation bonus experiment\n=================\nHackerOne is running a reputation bonus experiment from June 22nd 2:00p PDT until July 21st 2:00p PDT. We will allocate additional bounty bonuses based on the total reputation earned for reports submitted in that timeframe. Users who are tied will equally split the sum of the affected ranks. Below you can find the leaderboard, the prizes, and currently ranked hackers. You need at least a signal of 3 for the submitted reports to our program in order to be eligible to be ranked. All reports will be triaged and paid out before the winners will be announced the week after July 21st. Prizes will be paid out as a regular bonus on a report you submitted. The leaderboard will be updated regularly.\n\nIn case you're wondering why we're running this experiment: this is one of many ideas that'll give us more insight into the effects of (ongoing) bonus ladders. Our hypothesis is that this will result in better program (re)engagement and could result in overall higher severity of security vulnerabilities. If this experiment is successful, we may offer this to our customers as a product feature.\n\nGet your high / critical vulnerabilities in and earn those dollars!\n\n| Rank | Prize | Reputation | Username |\n|----|----|----|----|\n| 1 | $3,250 | 32 | @suresh1c |\n| 1 | $3,250 | 32 | @ruvlol |\n| 3 | $1,000 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 4 | $500 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 5 | $350 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 6 | $300 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 7 | $250 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 8 | $200 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 9 | $150 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 10 | $100 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n\n🔥 Research incentive experiment\n==============\nHackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-07-03T22:34:11.534Z"},{"id":3580595,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🏆 Reputation bonus experiment\n=================\nHackerOne is running a reputation bonus experiment from June 22nd 2:00p PDT until July 21st 2:00p PDT. We will allocate additional bounty bonuses based on the total reputation earned for reports submitted in that timeframe. Below you can find the leaderboard, the prizes, and currently ranked hackers. You need at least a signal of 3 for the submitted reports to our program in order to be eligible to be ranked. All reports will be triaged and paid out before the winners will be announced the week after July 21st. Prizes will be paid out as a regular bonus on a report you submitted. The leaderboard will be updated regularly.\n\nIn case you're wondering why we're running this experiment: this is one of many ideas that'll give us more insight into the effects of (ongoing) bonus ladders. Our hypothesis is that this will result in better program (re)engagement and could result in overall higher severity of security vulnerabilities. If this experiment is successful, we may offer this to our customers as a product feature.\n\nGet your high / critical vulnerabilities in and earn those dollars!\n\n| Rank | Prize | Reputation | Username |\n|----|----|----|----|\n| 1 | $4,000 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 2 | $2,500 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 3 | $1,000 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 4 | $500 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 5 | $350 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 6 | $300 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 7 | $250 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 8 | $200 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 9 | $150 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 10 | $100 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n\n🔥 Research incentive experiment\n==============\nHackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-22T23:29:37.835Z"},{"id":3580592,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n🏆 Reputation bonus experiment\n=================\nHackerOne is running a reputation bonus experiment from June 22nd 2:00p PDT until July 21st 2:00p PDT. We will allocate additional bounty bonuses based on the total reputation earned for reports submitted in that timeframe. Below you can find the leaderboard, the prizes, and currently ranked hackers. You need at least a signal of 3 for the submitted reports to our program in order to be eligible to be ranked. All reports will be triaged and paid out before the winners will be announced the week after July 21st. Prizes will be paid out as a regular bonus on a report you submitted. The leaderboard will be updated regularly.\n\nGet your high / critical vulnerabilities in and earn those dollars!\n\n| Rank | Prize | Reputation | Username |\n|----|----|----|----|\n| 1 | $4,000 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 2 | $2,500 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 3 | $1,000 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 4 | $500 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 5 | $350 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 6 | $300 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 7 | $250 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 8 | $200 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 9 | $150 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 10 | $100 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n\n🔥 Research incentive experiment\n==============\nHackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-22T20:59:47.408Z"},{"id":3580587,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\n💰 Financial rewards\n=============\n\n| | Critical (9.0+) | High (7.0+) | Medium (4.0+) | Low (1.0+) |\n|----------------------------------------|-----------------|-------------|---------------|------------|\n| hackerone.com | $15,000 | $7,500 | $2,500 | $500 |\n| api.hackerone.com | $15,000 | $7,500 | $2,500 | $500 |\n| hackerone-attachments.s3.amazonaws.com | $15,000 | $7,500 | $2,500 | $500 |\n| www.hackerone.com | N/A | $7,500 | $2,500 | $500 |\n| errors.hackerone.net | N/A | $7,500 | $2,500 | $500 |\n| *.hackerone-user-content.com | N/A | N/A | N/A | $500 |\n| *.hackerone-ext-content.com | N/A | N/A | $2,500 | $500 |\n\nSeverities that cannot be reported due to the asset's CVSSv3 environmental score are marked as Not Applicable (N/A) in the table above.\n\nThe severity is determined based on CVSSv3. We only issue monetary rewards for reports that have impact. All amounts are in US dollars and are minimums for each severity category. We welcome reports outside of the abovementioned scope that impacts HackerOne in any way. This could be a third-party leaking information that we consider to be confidential, that would impact the availability of our services, or that would pose any other threat for HackerOne.\n\n🏆 Reputation bonus experiment\n=================\nHackerOne is running a reputation bonus experiment from June 22nd 2:00p PDT until July 21st 2:00p PDT. We will allocate additional bounty bonuses based on the total reputation earned for reports submitted in that timeframe. Below you can find the leaderboard, the prizes, and currently ranked hackers. You need at least a signal of 3 for the submitted reports to our program in order to be eligible to be ranked. All reports will be triaged and paid out before the winners will be announced the week after July 21st. Prizes will be paid out as a regular bonus on a report you submitted. The leaderboard will be updated regularly.\n\nGet your high / critical vulnerabilities in and earn those dollars!\n\n| Rank | Prize | Reputation | Username |\n|----|----|----|----|\n| 1 | $4,000 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 2 | $2,500 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 3 | $1,000 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 4 | $500 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 5 | $350 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 6 | $300 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 7 | $250 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 8 | $200 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 9 | $150 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n| 10 | $100 | 0 | [Your name here!](https://hackerone.com/security/reports/new) |\n\n🔥 Research incentive experiment\n==============\nHackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-06-22T20:25:16.755Z"},{"id":3575656,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nFinancial rewards\n=============\n\n| | Critical (9.0+) | High (7.0+) | Medium (4.0+) | Low (1.0+) |\n|----------------------------------------|-----------------|-------------|---------------|------------|\n| hackerone.com | $15,000 | $7,500 | $2,500 | $500 |\n| api.hackerone.com | $15,000 | $7,500 | $2,500 | $500 |\n| hackerone-attachments.s3.amazonaws.com | $15,000 | $7,500 | $2,500 | $500 |\n| www.hackerone.com | N/A | $7,500 | $2,500 | $500 |\n| errors.hackerone.net | N/A | $7,500 | $2,500 | $500 |\n| *.hackerone-user-content.com | N/A | N/A | N/A | $500 |\n| *.hackerone-ext-content.com | N/A | N/A | $2,500 | $500 |\n\nSeverities that cannot be reported due to the asset's CVSSv3 environmental score are marked as Not Applicable (N/A) in the table above.\n\nThe severity is determined based on CVSSv3. We only issue monetary rewards for reports that have impact. All amounts are in US dollars and are minimums for each severity category. We welcome reports outside of the abovementioned scope that impacts HackerOne in any way. This could be a third-party leaking information that we consider to be confidential, that would impact the availability of our services, or that would pose any other threat for HackerOne.\n\n🔥 **New and important** 🔥: HackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n-     Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-06T00:30:37.079Z"},{"id":3575378,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nFinancial rewards\n=============\n\n| | Critical (9.0+) | High (7.0+) | Medium (4.0+) | Low (1.0+) |\n|----------------------------------------|-----------------|-------------|---------------|------------|\n| hackerone.com | $15,000 | $7,500 | $2,500 | $500 |\n| api.hackerone.com | $15,000 | $7,500 | $2,500 | $500 |\n| hackerone-attachments.s3.amazonaws.com | $15,000 | $7,500 | $2,500 | $500 |\n| www.hackerone.com | N/A | $7,500 | $2,500 | $500 |\n| errors.hackerone.net | N/A | $7,500 | $2,500 | $500 |\n| *.hackerone-user-content.com | N/A | N/A | N/A | $500 |\n| *.hackerone-ext-content.com | N/A | N/A | $2,500 | $500 |\n\nSeverities that cannot be reported due to the asset's CVSSv3 environmental score are marked as Not Applicable (N/A) in the table above.\n\nThe severity is determined based on CVSSv3. We only issue monetary rewards for reports that have impact. All amounts are in US dollars and are minimums for each severity category. We welcome reports outside of the abovementioned scope that impacts HackerOne in any way. This could be a third-party leaking information that we consider to be confidential, that would impact the availability of our services, or that would pose any other threat for HackerOne.\n\n🔥 **New and important** 🔥: HackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n- 🇪🇸 Spanish\n- 🇵🇹 Portuguese\n- 🇳🇵 Nepali\n- 🇦🇪 Arabic\n- 😂 Frisian\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-05-02T21:52:02.092Z"},{"id":3573666,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**💬Important for reporting functional bugs**: if you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead.\n\nFinancial rewards\n=============\n\n| | Critical (9.0+) | High (7.0+) | Medium (4.0+) | Low (1.0+) |\n|----------------------------------------|-----------------|-------------|---------------|------------|\n| hackerone.com | $15,000 | $7,500 | $2,500 | $500 |\n| api.hackerone.com | $15,000 | $7,500 | $2,500 | $500 |\n| hackerone-attachments.s3.amazonaws.com | $15,000 | $7,500 | $2,500 | $500 |\n| www.hackerone.com | N/A | $7,500 | $2,500 | $500 |\n| errors.hackerone.net | N/A | $7,500 | $2,500 | $500 |\n| *.hackerone-user-content.com | N/A | N/A | N/A | $500 |\n| *.hackerone-ext-content.com | N/A | N/A | $2,500 | $500 |\n\nSeverities that cannot be reported due to the asset's CVSSv3 environmental score are marked as Not Applicable (N/A) in the table above.\n\nThe severity is determined based on CVSSv3. We only issue monetary rewards for reports that have impact. All amounts are in US dollars and are minimums for each severity category. We welcome reports outside of the abovementioned scope that impacts HackerOne in any way. This could be a third-party leaking information that we consider to be confidential, that would impact the availability of our services, or that would pose any other threat for HackerOne.\n\n🔥 **New and important** 🔥: HackerOne is interested in your research on our systems, regardless of whether you found a security vulnerability. If you have found yourself looking at a particular feature on one of our assets but didn't find anything, please submit a report that describes all the different things you tried and failed. We may reward you for substantial research performed on assets under our bug bounty policy. This rule may be removed from our policy at any point in time.\n\nLanguages\n=========\n\nYou do not have to submit reports in English. Feel free to report anything in the following languages if you are more familiar with them:\n\n- 🇫🇷 French\n- 🇩🇪 German\n- 🇳🇱 Dutch\n- 🇮🇹 Italian\n- 🇷🇺 Russian\n- 🇫🇮 Finnish\n- 🇸🇪 Swedish\n- 🇮🇳 Hindi\n- 🇮🇳 Marathi\n\nWe are working on expanding our language base as we progress.\n\nPublic disclosure\n==============\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML.\n - Open redirect vulnerabilities that do not demonstrate a clear impact, such as sending secret tokens to an arbitrary domain.\n\n# Consequences of Complying with This Policy\nWe will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.\n\nIf legal action is initiated by a third party against you in connection with your participation in our program and you have complied with HackerOne’s bug bounty policy, HackerOne will take steps to make it known that your actions were conducted in compliance with this policy.\n\nPlease submit a HackerOne report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.\n\n{F285265}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-04-13T03:46:14.046Z"},{"id":3564953,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML\n\n{F240487}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-12-11T05:28:13.805Z"},{"id":3563584,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML\n\n{F240487}\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-11-17T22:05:02.928Z"},{"id":3559261,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [Cloudflare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and Cloudflare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-08-17T20:15:49.998Z"},{"id":3555708,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-06-14T18:46:20.725Z"},{"id":3545150,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, and 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2017-01-17T23:05:34.276Z"},{"id":3539862,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, \u0026 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-03T21:25:07.597Z"},{"id":3539861,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on Amazon Web Services in [SOC 1, 2, \u0026 3](https://aws.amazon.com/compliance/soc-faqs/) and [ISO 27001](https://aws.amazon.com/compliance/iso-27001-faqs/) certified datacenters.\n* Network segregation is aggressively deployed between services and environments.\n* Our databases, files, and backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-03T21:24:39.975Z"},{"id":3539263,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* Backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n - Reports which disclose the existence of private programs that are using SAML\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-21T19:22:27.107Z"},{"id":3539066,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* Backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n - The ability to influence reputation/signal/impact via socially engineering a program's team members.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-19T10:34:57.153Z"},{"id":3499219,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* Backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n- The ability to influence reputation/signal/impact via socially engineering a program's team members.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-08-26T03:07:15.472Z"},{"id":2991186,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* Backups are encrypted at rest using AES-256.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-30T15:08:44.627Z"},{"id":2876040,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n - The ability to game the badges functionality by closing submissions reported by yourself or a team member in a verified program.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-07T20:28:28.778Z"},{"id":2858720,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n - Reports relating to missing rate limiting of [our API](https://api.hackerone.com/). We intentionally made this design decision to learn how people use our API. We plan to implement a rate limit in the future.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-02T16:28:39.347Z"},{"id":2836812,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n* No credit card information is stored on our servers. We use [Stripe](https://stripe.com/docs/security), a PCI Level 1 service provider.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-05-28T03:22:47.532Z"},{"id":2459107,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. \n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-04-06T03:50:05.019Z"},{"id":2424299,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. You can also use the `Feedback` link in the bottom right corner of any page to let us know about a site bug.\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-30T02:44:58.416Z"},{"id":2418883,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. You can also use the `Feedback` link in the bottom right corner of any page to let us know about a site bug.\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports which involve constructing a markdown link in such a way that it may appear confusing in the external link warning interstitial page, despite being properly decoded and fully enclosed in the demarcated \"External link\" box.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to invitations not being tied to specific user accounts.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-28T18:27:01.526Z"},{"id":2388618,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. You can also use the `Feedback` link in the bottom right corner of any page to let us know about a site bug.\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to the execution of CSV content by a third-party client application due to special treatment of certain characters in the exported CSV.\n - Reports relating to invitation expiration dates.\n - Reports relating to invitations not being tied to specific user accounts.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-22T08:34:12.561Z"},{"id":2384378,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n### If you are looking to report a non-security-related bug in HackerOne, please [submit here](https://support.hackerone.com/hc/en-us/requests/new) instead. You can also use the `Feedback` link in the bottom right corner of any page to let us know about a site bug.\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - Reports relating to invitations not being tied to specific user accounts.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-20T21:24:54.256Z"},{"id":2384377,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead. You can also use the `Feedback` link in the bottom right corner of any page to let us know about a site bug. **\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - Reports relating to invitations not being tied to specific user accounts.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-03-20T21:22:46.078Z"},{"id":2284809,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - Reports relating to invitations not being tied to specific user accounts.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-02-25T02:22:53.343Z"},{"id":2259151,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n - Reports relating to self-DoS issues (as in, only the person doing the action is denied service).\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-02-16T20:21:42.217Z"},{"id":2164499,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$10,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com`, `info.hacker.one`, and `go.hacker.one` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-01-13T15:00:01.429Z"},{"id":2087143,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com`, `info.hacker.one`, and `go.hacker.one` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead via @zendesk. \n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-14T06:48:38.342Z"},{"id":2060036,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3, encrypted at rest, and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com`, `info.hacker.one`, and `go.hacker.one` unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-12-02T05:02:30.797Z"},{"id":2031515,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I and ISO 27001 certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` and `info.hackerone.com`, unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-19T17:04:36.696Z"},{"id":1983862,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* No HackerOne employees are authorized to access customer vulnerability information.\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` and `info.hackerone.com`, unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-11-11T21:52:53.466Z"},{"id":1898711,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nScope Exclusions\n===============\nThe following categories of reports are considered out of scope for our program and will not be rewarded:\n\n - Reports which target a lack of host header validation or that exploit [multiple forward slashes](https://hackerone.com/reports/52035) at the root of the path segment of a URL. Both of these issues are known to both us and CloudFlare, and their resolution is outside our control.\n - Spamming other users with automated HackerOne emails or notifications (e.g. abusing the forgot password form).\n - For reports addressing `support.hackerone.com` and `info.hackerone.com`, unless they are critical or severe issues they will be marked as not applicable. `support.hackerone.com` is hosted by Zendesk, and as such general reports should be submitted to their program instead.\n - Reports which [enumerate already claimed user and program handles](https://hackerone.com/reports/29185). This reveals no sensitive information, regardless of whether the associated profiles are public or private.\n - Reports relating to invitation expiration dates.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-10-09T06:39:52.646Z"},{"id":1757531,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication and IP whitelisting are available to further restrict access to accounts.\n* Role-based access control allows for granular permissions for team members.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-08-18T18:56:40.586Z"},{"id":1562459,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(13, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication is available to further restrict access to accounts.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-16T18:35:11.873Z"},{"id":1510192,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(10, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication is available to further restrict access to accounts.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-05T19:39:08.757Z"},{"id":1510187,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(10, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication is available to further restrict access to accounts.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n\nHackerOne HackerOne HackerOne HackerOne HackerOne HackerOne HackerOne HackerOne HackerOne\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-05T19:38:32.714Z"},{"id":1510185,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug in HackerOne, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(10, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication is available to further restrict access to accounts.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-05T19:38:03.531Z"},{"id":1510184,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(10, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication is available to further restrict access to accounts.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how HackerOne could be improved, please let us know at support@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-06-05T19:37:32.093Z"},{"id":1452128,"new_policy":"We've built HackerOne from the ground up with security as our top priority. Even so, we believe that all technology contains bugs and that the public plays a crucial role in identifying these bugs. If you believe you've found a security bug in our service, we'll gladly work with you to resolve that issue and ensure you are fairly compensated for your discovery.\n\n**If you are looking to report a non-security-related bug, please e-mail support@hackerone.com instead.**\n\nWe categorize security bugs in our service into two categories:\n\n* **Severe**: Any bug that might grant unauthorized access to confidential bug descriptions. Severe bugs have a minimum bounty of **$5,000**.\n* **Interesting**: Any bug that might otherwise potentially impact the security of our service. Interesting bugs have a minimum bounty of **$500**.\n\nWe believe in transparency about our security, so any valid vulnerabilities discovered are always publicly disclosed once confirmed and resolved.\n\nBelow we'll describe some of the measures we take to keep our service safe and secure.\n\nApplication Security\n===============\n\n* Several of our engineers live double lives as security engineers and penetration testers. All commits go through mandatory code and security review, along with examination by static analysis tools.\n* All data access and mutation goes through a stringent Command Query Responsibility Segregation (CQRS) framework for centralized auditing, authentication, and authorization.\n* This framework utilizes strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.\n* We utilize a strict [Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy) and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).\n* We encrypt all network communications with SSL/TLS accompanied with [Perfect Forward Secrecy](https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_Forward_Secrecy) and [HTTP Strict Transport Security (HSTS)](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security), including being [HSTS preloaded](https://hstspreload.appspot.com/) in most major browsers.\n* All requests pass through multiple rate limiting implementations to protect against brute-force attacks.\n* We don't store passwords: we store `bcrypt(10, salt, strcat(password, sha512(app-token, env-token)))`.\n* Passwords must be a minimum of 8 characters and pass a [zxcvbn](https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/) strong entropy check.\n* User-submitted content (such as attachments and images) is stored in AWS S3 and served from a sandboxed domain, protecting from [Same-origin Policy](https://en.wikipedia.org/wiki/Same-origin_policy) attacks.\n* Two-factor authentication is available to further restrict access to accounts.\n\nInfrastructure \u0026 Operational Security\n===============\n\n* All our infrastructure is hosted on dedicated, unmanaged hardware in an ISAE 3402 type I certified datacenter.\n* Network segregation is aggressively deployed between services and environments.\n* All infrastructure access requires two-factor, multi-stage authentication.\n* We leverage [CloudFlare](https://www.cloudflare.com) to supplement our infrastructure's resilience.\n* Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.\n* All employees undergo a criminal background check upon hiring.\n\n… and more. We're constantly seeking to improve. If you have any questions on our security or suggestions on how we could improve, please let us know at support@hackerone.com.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-05-14T00:37:16.551Z"}]