Skip to main content
Partner with HackerOne

Vulnerability Disclosure Guidelines

All technology contains bugs. If you've found a security vulnerability, we'd like to help out. By submitting a vulnerability to a program on HackerOne, or signing up as a Security Team, you acknowledge that you have read and agreed to these guidelines.

Vulnerability Disclosure Philosophy

Finders should...

  • Respect the rules. Operate within the rules set forth by the Security Team, or speak up if in strong disagreement with the rules.
  • Respect privacy. Make a good faith effort not to access or destroy another user's data.
  • Be patient. Make a good faith effort to clarify and support their reports upon request.
  • Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

Security Teams should...

  • Prioritize security. Make a good faith effort to resolve reported security issues in a prompt and transparent manner.
  • Respect Finders. Give finders public recognition for their contributions.
  • Reward research. Financially incentivize security research when appropriate.
  • Do no harm. Not take unreasonable punitive actions against finders, like making legal threats or referring matters to law enforcement.
Safe Harbor
Submission Process
Vulnerability Disclosure Process
Public Recognition
Bug Bounty


HackerOne is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at [email protected] or follow us on Twitter @hacker0x01 .

Changes to These Guidelines

We may revise these guidelines from time to time. The current version is 1.2, updated on July 29, 2019 will always be at . If we make changes that we believe will substantially alter your rights, we will email you and prominently display a notice on our site 7 days before we make those changes.