HackerOne Customer Terms and Conditions

Effective Date: May 11, 2026

These Customer Terms and Conditions apply to all Order Forms entered into on or after May 11, 2026, and to all free or trial versions of HackerOne's Services, and to any other use of the HackerOne Platform or Services by a Customer unless such use has been superseded by a mutually agreed written instrument between HackerOne and such Customer.

A. Services

Please read these Customer Terms and Conditions carefully because they govern each Customer's access to and use of the HackerOne Platform, products, and services (together, the "Services").

1. Agreement to Terms

1.1) By using the Services, a Customer agrees to be bound by these Customer Terms and Conditions, the Customer AI Terms and Conditions, and the General Terms and Conditions, which are incorporated herein by reference (the "Terms"). If you do not understand any terms in the Terms, please contact us before using the Services.

1.2) You may not access or use any Services unless you agree to abide by all of the Terms.

2. Definitions

2.1) Certain capitalized terms used in these Customer Terms and Conditions are defined in the General Terms and Conditions.

3. Services

3.1) HackerOne Platform. The Customer may access and use the HackerOne Platform and Services solely for its and its Affiliates' own business purposes. Among other things, the Customer may create Programs, and where applicable, offer Rewards to Community Members for their Community Member Submissions to such Programs. Community Members can access the HackerOne Platform to browse the Programs. If Community Members participate in such Programs, they can contact a Customer through the HackerOne Platform and can submit Community Member Submissions for the Programs under the terms described in Community Member Terms and Conditions and/or the Program Policy. HackerOne may change all or any part of the HackerOne Platform or HackerOne Site at any time, provided that such change is compliant with the Terms and does not diminish the Services provided to Customers.

3.2) HackerOne Services. HackerOne shall provide Customer access to Services following the mutual execution of one or more Order Forms by HackerOne and the Customer.

3.3) Use Restrictions and Requirements. The Customer shall not (and shall not permit any third party to), directly or indirectly: (i) reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code, object code, or underlying structure, ideas, models, or algorithms of the Services (except to the extent Applicable Laws specifically prohibit such restriction); (ii) modify, translate, or create derivative works based on the Services; (iii) copy, rent, lease, distribute, pledge, assign, or otherwise transfer or encumber rights to the Services; (iv) use the Services for the benefit of a third party; (v) remove or otherwise alter any proprietary notices or labels from the Services or any portion thereof; (vi) use the Services to build an application or product that is competitive with any HackerOne products or services; (vii) interfere or attempt to interfere with the proper working of the Services or any activities conducted on the Services; (viii) bypass any measures HackerOne may use to prevent or restrict access to the Services (or other accounts, computer systems, or networks connected to the Services) or (ix) use the Services in a manner that violates any third-party intellectual property, contractual, or other proprietary rights ("Use Restrictions"). The Customer shall (a) use the Services in compliance with any applicable governance policies and technical documentation made generally available to the Customer by HackerOne, as reasonably updated from time to time, (b) use the Services in compliance with all applicable local, state, national, and foreign laws, treaties, and regulations in connection with the Customer's use of the Services (including those related to data privacy, international communications, export laws, and the transmission of technical or personal data laws), (c) ensure that, in the event a Customer requests HackerOne or a Community Member to undertake research, vulnerability analysis, penetration testing, or similar activities on or in relation to any third party software, service, or infrastructure, that the Customer has all necessary rights and authorizations to undertake, and to authorize HackerOne and/or the relevant Community Member to undertake on its behalf, such activities. Except as expressly stated otherwise in technical documentation applicable to the Services, the Customer is responsible for all of the Customer's activity in connection with the Services, including obtaining all required consents to use the Services, reviewing all technical documentation and governance policies relevant to the Services, disabling any tools or features capable of disablement and uploading Customer Data onto the Platform.

3.4) Third Party Services. If set forth on a fully executed Order Form, the Services may include Third Party Services, which will be provided by a third party to the Customer. HackerOne is not responsible for the Third Party Services, and HackerOne makes no warranty or representation with respect to the Third Party Services. If purchased by a Customer, the Customer agrees to be bound by any terms and conditions presented to the Customer by the Third Party Services provider that govern the use of such provider's services, and unless otherwise agreed, the Customer will remit payment for the Third Party Services directly to HackerOne within thirty (30) calendar days of invoice, and HackerOne will pay the Third Party Services provider.

3.5) Use of the HackerOne Platform as a Community Member. If a Customer or an employee of a Customer, wishes to access and use the Services as a Community Member with the consent of Customer, then the Community Member Terms and Conditions will govern the Customer's or the Customer's employee's use of the Services, as a Community Member. The Community Member Terms and Conditions are independent of, and in addition to, these Customer Terms and Conditions. In such case, the Customer or the Customer's employee, is solely responsible for performing the Community Member's obligations under the Community Member Terms and Conditions.

4. Community Member Submissions and Community Members

4.1) HackerOne does not endorse any Community Member. HackerOne is not responsible for any damage or harm resulting from a Customer's communications or interactions with Community Members or other customers, either through the Platform, the Services or otherwise. Any reputation ranking or description of any Community Member as part of the Services is not intended by HackerOne as an endorsement of any type. Any selection or use of any Community Member is solely at the Customer's own risk.

4.2) Any use or reliance of Community Member Submissions that Customer receives is at Customer's own risk. HackerOne does not endorse, represent, or guarantee the completeness, truthfulness, accuracy, or reliability of any Community Member Submission. HackerOne will not be liable for any errors or omissions in any Community Member Submission, or any loss or damage of any kind, incurred as a result of the use of any Community Member Submission.

4.3) Community Members are not employees, contractors, or agents of HackerOne, but are independent third parties who want to participate in Programs and connect with Customers through the Services. Unless otherwise expressly agreed to in writing by HackerOne, the Customer agrees that any legal remedy that the Customer seeks to obtain for actions or omissions of a Community Member regarding the Customer's Program or Community Member Submissions will be limited to a claim against the applicable Community Member. Any contract or other interaction between a Customer and a Community Member, including with respect to any Customer Program Policy, will be between the Customer and the Community Member. HackerOne is not a party to such contracts and disclaims all liability arising from or related to such contracts.

4.4) Community Member Reviews. The Platform may collect and display reviews of Community Members by HackerOne customers. These reviews are provided as is and are not endorsements of any Community Member by HackerOne. To the extent the Customer relies on such reviews, the Customer does so at its sole discretion and risk.

5. Rewards and HackerOne Fees

5.1) Rewards. If applicable to the Customer's Program and in accordance with the Program Policy, a Customer may award Rewards to those Community Members who participate in the Customer's Programs and/or submit Community Member Submissions that meet the Customer's requirements. Unless otherwise agreed in writing, Customer agrees that it must provide advance payment in full for any requisite Reward funds prior to the transfer of funds to a Community Member by HackerOne. HackerOne shall not be responsible for any delays in the transfer of the Reward where there has been a delay in (a) receipt of the requisite Reward funds from the Customer or (b) the Customer validating a Submission.

5.2) Transfer of Funds Related to the Services. If applicable to the Program and in accordance with the Program Policy, the Customer may award Rewards to those Community Members who participate in the Customer's Programs or submit Community Member Submissions that meet the Customer's requirements. As a part of the Services, subject to any regulatory or legal requirements, HackerOne will transfer payments through the engagement of third-party payment providers to the Community Members pursuant to the Program Policy and HackerOne company policy, subject to: (i) HackerOne's advance receipt of Reward funds in full from the Customer; (ii) completion by the Customer of any applicable KYC/AML requirements; (iii) completion of tax documentation by the Community Member; and (iv) a successful screen of Community Member to ensure regulatory compliance including but not limited to against the U.S. Office of Foreign Assets Control (OFAC) sanctions list. HackerOne is not responsible for delays in payment outside of HackerOne's reasonable control or for processing or providing any Reward that is not a monetary payment unless otherwise set forth in an Order Form or otherwise agreed to in writing by HackerOne.

5.3) The Customer understands and agrees that Community Members have appointed HackerOne as their agent to accept monetary Rewards on their behalf. When the Customer transfers monetary Rewards to HackerOne for services provided by Community Members, the Customer acknowledges that the Customer is or will be the recipient of a service provided by Community Members and agrees that the Customer intends for the Customer's payment to HackerOne to be delivered to those Community Members to discharge the Customer's obligation, if any, to any such Reward for the Customer's benefit.

5.4) HackerOne Fees. The Customer agrees to pay HackerOne all fees for the Services as set out in the Order Form ("HackerOne Fees") within thirty (30) calendar days of the date of HackerOne's invoice unless otherwise stated on the Order Form. Except for any amounts disputed in good faith, HackerOne reserves the right to charge interest on all undisputed past due amounts at a rate of 1.5% per month or the maximum rate permitted by law, whichever is less. The Customer shall be responsible for reimbursing HackerOne for all reasonable costs and expenses incurred (including reasonable attorneys' fees) in collecting any undisputed overdue amounts. The HackerOne Fees and Reward payments to Community Members are non-refundable, except as otherwise specifically provided herein or in the applicable Order Form.

5.5) Excessive or Atypical Use. HackerOne reserves the right to address the Customer's use of the Services and/or HackerOne's performance obligations to Customer for such Services to the extent (i) the Customer's use of the Services materially exceeds the intended use of the Services or (ii) Customer-controlled Program configurations or integrations result in materially increased costs to HackerOne ("Excessive Use"). Notwithstanding the foregoing, HackerOne will not assess additional Fees to the Customer under this Section 5.5 without first providing the Customer with reasonable written notice regarding the Excessive Use and providing the Customer a reasonable opportunity to adjust the Customer's use of the Services.

5.6) Taxes. The Customer is responsible for any duties, customs, fees, or taxes due on account of its use of the Services, including any withholding taxes based on the classification of the Services being rendered, excluding any taxes imposed by the United States on HackerOne's income. If a Customer is required by Applicable Law to withhold any amount from the HackerOne Fees specified in the Order Form, then the Customer will pay HackerOne such HackerOne Fees as if no withholding were required and shall separately remit the withholding amount to the appropriate governmental authorities and provide evidence of such payment to HackerOne.

5.7) Termination and Rewards. In the event of termination, discontinuation, or cancellation of the Services or an Order Form, subject to applicable Program Policy and/or Disclosure Guidelines, Customer authorizes HackerOne to transfer outstanding Rewards to the relevant Community Member(s). Where a Community Member Submission has not been validated by the Customer within thirty (30) calendar days of a valid termination, HackerOne shall be authorized to transfer the Reward funds for the purposes of providing a Reward, based on normal industry validation practices.

6. Programs and Program Materials

6.1) HackerOne makes available through the HackerOne Platform both managed Programs, under which HackerOne is responsible for the management and the administration of a Customer's Programs with input and approval from the Customer as mutually agreed throughout the Program, and Programs that are self-managed by Customers. If an Order Form does not specifically identify HackerOne as being responsible for the management and administration of a Customer's Programs, then the Customer is solely responsible for the management and administration of Customer's Programs through the Services. Where relevant to the Services, HackerOne's Vulnerability Disclosure Guidelines, which describe the default disclosure policy governing vulnerability reporting through the Services, will be applicable to the Services except to the extent a Customer adopts its own Program Policy with respect to its Program. In the event of any conflict between a Customer's Program Policy and HackerOne's Vulnerability Disclosure Guidelines, the Customer's Program Policy shall prevail.

6.2) HackerOne reserves the right to reject a Program if, in its sole reasonable discretion, HackerOne reasonably objects to the Program and/or its Program Policy. HackerOne will notify the Customer of its intention to reject a Program, will identify its objections to the Program, and will work with the Customer to address those objections. In addition, where any Program is inactive or unattended by a Customer, HackerOne shall have the right to remove or disable access to the relevant Program Material and/or pause Community Member Submissions if the Customer has not responded to HackerOne's written notice (by email) requiring attention within ten (10) business days of such written notice.

6.3) While HackerOne may assist the Customer in preparing the Customer's Program Material, the Customer is solely responsible for the Customer's Program Material, including, for example, defining the scope of digital assets permitted to be tested by Community Members, determining Reward amounts and determining or restricting which resources and tools such Community Members may use or engage with while participating in the Customer's Program. Customer understands and accepts that they are responsible for a Program and Programs may not be successful if the Program's incentives and/or terms do not meet industry standard expectations for Programs of similar size and scope.

7. Intellectual Property Ownership and Licenses

7.1) HackerOne does not claim any ownership rights in any Program Material or Community Member Submissions, and nothing in these Customer Terms and Conditions or otherwise will be deemed to restrict any rights that a Customer may have to use and exploit its Program Material and Community Member Submissions. HackerOne and its licensors exclusively own all right, title, and interest in and to the HackerOne Property.

7.2) By making any Customer Data available through the Services, the Customer hereby grants to HackerOne a non-exclusive, non-transferable, non-sublicensable, worldwide, royalty-free license to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of such Customer Data for the purpose of providing and improving the Services. HackerOne has no obligation to maintain or provide any Customer Data after the Term.

7.3) HackerOne hereby grants to the Customer a non-exclusive, non-transferable, non-sublicensable, worldwide, royalty-free license to access and view the content and other HackerOne Property that HackerOne makes available on the Services solely in connection with the Customer's permitted use of the HackerOne Platform and Services.

7.4) HackerOne hereby grants to the Customer a non-exclusive, non-transferable, non-sublicensable, worldwide, royalty-free license to access and view the Community Member Submissions that are made available through the HackerOne Platform and the Services solely in connection with the Customer's permitted use of the HackerOne Platform and Services.

7.5) Subject to HackerOne's ownership of any HackerOne Property contained therein, the Customer will own all right, title, and interest to each Customer Report. HackerOne hereby grants the Customer a non-exclusive, non-transferable, perpetual, worldwide license to access, use, and reproduce any HackerOne Property included in each Customer Report.

8. Confidentiality

8.1) The General Terms and Conditions set forth the Customer's and HackerOne's obligations to protect Confidential Information of the other party.

9. Warranty

9.1) HackerOne represents and warrants that the HackerOne Platform and the Services provided to a Customer will be provided as described in an applicable Order Form or as otherwise mutually agreed by HackerOne and the Customer, by qualified personnel in a professional manner, and will comply in all material respects with the Documentation and content made available by HackerOne with respect thereto.

9.2) No Community Member Submissions shall be deemed a representation, warranty, commitment, or promise by HackerOne, and HackerOne assumes no duty to update, monitor, correct, or validate any content generated by the Services. In order to state a claim for breach of the foregoing warranty, a Customer must provide notice of such non-compliance within the thirty (30) day period following such non-compliance specifying the details of such non-compliance. If a Customer timely provides HackerOne with the required notice, as the Customer's sole and exclusive remedy, HackerOne shall re-perform such portion of the Services or otherwise use commercially reasonable efforts to correct any such non-compliance, at its expense, within thirty (30) calendar days of its receipt of such notice.

9.3) Procurement Regulations of the U.S. Government. The Service is a "commercial" offering, as that term is used in FAR Section 2.101 (defining "commercial items") and DFAR Section 227.704(a)(1) (defining "commercial computer software").

9.4) Disclaimer of Warranties. EXCEPT AS EXPRESSLY SET FORTH HEREIN, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" AND WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES IMPLIED BY ANY COURSE OF PERFORMANCE, USAGE OF TRADE, OR COURSE OF DEALING, ALL OF WHICH ARE EXPRESSLY DISCLAIMED.

9.5) HackerOne makes no warranties that the Services will meet a Customer's specific requirements or be available on an uninterrupted, secure, or error-free basis.

9.6) Trade Controls. The Customer will not use the Service in violation of export control laws or regulations and/or economic sanctions laws or regulations that are imposed, administered, or enforced by the U.S., the U.K., the EU, or any other relevant jurisdiction.

9.7) If at any time, HackerOne has a material reason to believe that the activity of the Customer and/or its Affiliates is restricted under the laws and regulations outlined at Section 9.6, HackerOne reserves the right to terminate access to the HackerOne Platform and Services, at its sole discretion and with immediate effect.

10. Artificial Intelligence

10.1) HackerOne uses Artificial Intelligence, which is embedded in the Platform and the Services. The terms governing how we use Artificial Intelligence in the Platform and Services are set out at www.hackerone.com/terms/AI.

11. Indemnification

11.1) The Customer will indemnify, defend, and hold harmless HackerOne and its officers, directors, employees, and agents, from and against any claims, disputes, demands, liabilities, damages, losses, and costs and expenses, including, without limitation, reasonable legal and accounting fees arising out of a third party claim (i) that Customer Data infringe upon a patent, copyright, trademark, or trade secret of a third party, (ii) arising from the Customer's use of a Community Member Submission in violation of its Program Policy, or (iii) arising from actions taken by HackerOne or Community Members on the request or instruction of Customer.

11.2) HackerOne will indemnify, defend, and hold harmless the Customer and its officers, directors, employees, and agents, from and against any claims, disputes, demands, liabilities, damages, losses, and costs and expenses, including, without limitation, reasonable legal and accounting fees arising out of a third party claim that the HackerOne Platform infringes upon a patent, copyright, trademark, or trade secret of a third party, provided that HackerOne shall not be responsible for any such claim to the extent arising out of or relating to a Community Member Submission, the Customer Data, or any Community Member Submissions used or generated by Customer through the Services.

11.3) The indemnified party shall give prompt written notice of all claims for which indemnity is sought and shall cooperate in defending against such claims, at the expense of the indemnifying party. The indemnifying party shall conduct and have sole control of the defense and settlement of any claim for which it has agreed to provide indemnification; provided that the indemnified party shall have the right to provide for its separate defense at its own expense. The rights and remedies set forth in this Section 11 state a party's exclusive liability and the other party's exclusive rights and remedies regarding claims made by a third party for intellectual property infringement or violation of a third party's intellectual property rights.

B. Early Access Features

This Section B (Early Access Features) applies to Customer's use of all free, trial, preview, non-production, or beta versions of HackerOne's products and services unless otherwise superseded by a mutually agreed written agreement between HackerOne and Customer.

HackerOne may from time to time make available to Customer through the Platform additional non-production or preview products, services, or functionality, including, without limitation, trial or beta products, features, or services, or other non-production offerings (collectively, "Early Access Features"). The following terms apply to Customer's use of Early Access Features, in addition to any other terms applicable to such use, including the terms of Section A (Services). In the event of a conflict between this Section B (Early Access Features) and any other terms applicable to Customer's use of the Services or Early Access Features, this Section B shall prevail solely to the extent of such conflict and solely with respect to Customer's use of the applicable Early Access Features. All content generated by an Early Access Feature is referred to as "EA Output".

1. Acceptable Use of Early Access Features

1.1) Customer may use Early Access Features solely for legitimate internal business purposes in connection with its use of the HackerOne Platform and Services.

1.2) For the avoidance of doubt, Customer shall not (and shall not permit any third party to) use Early Access Features to:

a) process or input Personal Data, sensitive data, or regulated data, unless expressly approved in advance in writing by HackerOne;

b) generate, store, or transmit content in violation of Applicable Law;

c) make automated decisions with legal or material business impact without appropriate human review; or

d) develop or create a product or service that is competitive with any HackerOne product or service.

2. Intellectual Property

2.1) Except as expressly set forth in this Section B, the ownership and licensing provisions set forth in the Customer Terms and Conditions shall continue to apply to Customer's use of Early Access Features.

2.2) Experimental Features. From time to time, HackerOne may designate certain Early Access Features as beta, experimental, or non-production products or services ("Experimental Features"). As between the parties, and subject to any Customer Data or third-party rights, HackerOne shall own all right, title, and interest in and to any EA Output generated through Customer's use of such Experimental Features. HackerOne hereby grants Customer a non-exclusive, non-transferable, non-sublicensable, worldwide, royalty-free, irrevocable license to use, reproduce, display, and distribute such EA Output solely for Customer's internal business purposes.

3. No Reliance or Warranty

3.1) Early Access Features are provided strictly on an "as is" and "as available" basis. HackerOne does not guarantee, represent, or warrant that any Early Access Feature or any EA Output is accurate, complete, lawful, secure, or suitable for any purpose. EA Output may be incorrect, misleading, biased, fabricated, or otherwise unsuitable for use without independent human verification. HackerOne shall have no obligation to monitor, correct, update, or validate any Early Access Feature or EA Output.

3.2) Customer is solely responsible for reviewing, validating, and ensuring, including by human oversight, the accuracy, legality, and appropriateness of any EA Output prior to any use or reliance thereon. Customer shall not rely on EA Output as a source of legal, security, compliance, financial, or operational advice, and any such reliance is at Customer's sole risk.

3.3) By using any Early Access Feature, Customer acknowledges and agrees that any EA Output (i) may be unsuitable for use without subject-matter review, (ii) must be independently evaluated for accuracy, legality, confidentiality, and security, and (iii) does not reflect HackerOne's official views, policies, or positions.

3.4) TO THE MAXIMUM EXTENT PERMITTED BY LAW: HACKERONE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, WARRANTIES OF ACCURACY, NON-INFRINGEMENT, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ERROR-FREE OPERATION.

4. Limitation of Liability

4.1) TO THE MAXIMUM EXTENT PERMITTED BY LAW: HACKERONE SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR ENHANCED DAMAGES OF ANY KIND, INCLUDING, WITHOUT LIMITATION, LOSS OF DATA, LOSS OF PROFITS, LOSS OF BUSINESS, BUSINESS INTERRUPTION, REPUTATION HARM, SECURITY INCIDENTS, OR COMPLIANCE FAILURES, ARISING OUT OF OR RELATING TO CUSTOMER'S USE OF, INABILITY TO USE, OR RELIANCE ON ANY EARLY ACCESS FEATURE OR EA OUTPUT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. HACKERONE'S TOTAL AGGREGATE LIABILITY, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, ARISING OUT OF OR RELATING TO CUSTOMER'S USE OF EARLY ACCESS FEATURES SHALL NOT EXCEED THE FEES PAID BY CUSTOMER FOR THE APPLICABLE EARLY ACCESS FEATURES; PROVIDED, HOWEVER, THAT WITH RESPECT TO EXPERIMENTAL FEATURES, SUCH LIABILITY SHALL IN NO EVENT EXCEED ONE HUNDRED U.S. DOLLARS (USD $100).

4.2) The foregoing limitation applies in the aggregate to all claims and is not increased by multiple claims or claimants.

4.3) These limitations apply regardless of the theory of liability, regardless of whether damages were foreseeable, and shall survive Customer's termination or loss of access to or use of the Early Access Features.

5. Indemnification

5.1) To the fullest extent permitted by law, Customer shall indemnify, defend, and hold harmless HackerOne, its affiliates, officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, penalties, fines, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (i) Customer's misuse of any Early Access Feature; (ii) Customer's failure to review, verify, or validate any EA Output; (iii) Customer's input of prohibited, confidential, sensitive, or regulated information into any Early Access Feature; (iv) Customer's reliance on EA Output for decisions with legal, operational, or security impact; (v) Customer's breach of this Section B or any other applicable terms governing Early Access Features; or (vi) any third-party claim alleging that Customer's use of any Early Access Feature or any content generated by Customer through such use violates Applicable Law, infringes intellectual property or other rights, or causes harm.

Please see our existing Customer Terms and Conditions effective prior to May 11, 2026.