Compliance & Trust

Compliance and trust

Our customers trust us to help them protect their most valuable assets by working with hundreds of thousands of vetted hackers. Those hackers also trust us to provide a fair, safe, and rewarding platform for them to report potential security vulnerabilities. HackerOne, and hacker-powered security itself, is built on trust. That trust must be earned through transparency, security, privacy, compliance, and more. We start with the belief that no organization is 100% secure. Then we do everything we can to make your organization and ours as secure as possible.

Our business is security.

It's built on trust. Here's how we earn it.

lock
Privacy
security
Security
check_circle
Compliance
search
Transparency

Privacy

Your data is your data.

We are committed to ensuring the privacy of your data. We’re further committed to preventing unauthorized access to that data. Our Privacy Policy details what data is collected from our customers and hackers, how we use it, and how it is stored.

General Data Protection Regulation - GDPR

General data protection regulation

We ensure our data collection and handling practices comply with the General Data Protection Regulation (GDPR) and its rules on data protection, privacy, and transfer. Our continued efforts include appointing a privacy officer, implementing policies and procedures, entering into a Data Processing Addendum with our customers and vendors, providing a list of data subprocessors, training all internal employees on privacy, and reviewing these practices annually with a third-party to ensure they remain effective and current.

HackerOne is GDPR compliant.

CCPA logo

California Consumer Privacy Act (CCPA)

We comply with the California Consumer Privacy Act (CCPA), which outlines privacy requirements related to data collection, storage, access, and more. We do not sell the personal information we collect to other parties.

DPA logo

Data Processing Addendum (DPA)

We use a Data Processing Addendum (DPA) to ensure adequate safeguards are put in place to protect customer personal data processed by HackerOne. The DPA obliges us to implement appropriate security measures, limit access to personal data, alert customers to incidents and data requests involving their data, and more.

ISO 27701

ISO 27701 which provides requirements for a privacy management system within the context of an organization. HackerOne has included this control set within our ISO 27001 cert which provides requirements for an information security management system within the context of an organization. Our certification can be viewed here.

Have any questions?

If you have any questions concerning our privacy practices, please don’t hesitate to contact us at privacy@hackerone.com or at +1 (855) 242-8699.

Security

Our customers trust us with critical data contained within vulnerability reports and related to their technologies and security efforts. We work hard to ensure every bit of data is safe and protected.

How We Improve Our Own Security

How we improve our own security

  • Building an engineering team experienced in security and penetration testing.
  • Using mandatory peer reviews and analysis tools to help identify potentially vulnerable code.
  • Encrypting all network communications with SSL/TLS, Perfect Forward Secrecy, and HTTP Strict Transport Security (HSTS).
  • Enforcing strong password creation, using two-factor authentication, and storing bcrypt hashes instead of storing user passwords.

We also run our own vulnerability disclosure and bug bounty programs. We believe in transparency, so reported vulnerabilities are publicly disclosed once confirmed and resolved. Additionally, our latest hacker-powered penetration test results are available for review.

an image of a man and a woman working together at a laptop

What our application security efforts include

  • All commits go through mandatory code and security review, along with examination by static analysis.
  • Our architecture implements safe-by-default principles to consolidate user input, authorization, and business logic.
  • All data access and mutation goes through a framework utilizing strong typing and parameterization to eliminate SQL Injection attacks, as well as enforcing the presence of an anti-CSRF token prior to any data mutation.
  • We utilize a strict Content Security Policy and a safe-by-default templating language to effectively neutralize Cross-Site Scripting (XSS).
  • We encrypt all network communications with SSL/TLS accompanied with Perfect Forward Secrecy and HTTP Strict Transport Security (HSTS), including being HSTS preloaded in most major browsers.
  • All requests pass through multiple rate-limiting methods to protect against brute-force attacks.
  • We don't store passwords; we store bcrypt(15, salt, strcat(password, sha512(app-token, env-token)))
Security Guardrails

Guardrails to help users stay aware of security responsibilities

  • Passwords must be a minimum of 12 characters and pass a zxcvbn strong entropy check.
  • User-submitted content (such as attachments and images) is stored in Amazon S3, encrypted at rest using AES-256, and served from a sandboxed domain, protecting from Same-origin Policy attacks.
  • Two-factor authentication, IP whitelisting, and SAML are available to further restrict access to accounts.
  • Role-based access control allows for granular permissions for team members.
Infrastructure and Operational Security

What we do for infrastructure and operational security

  • Network segregation is aggressively deployed between services and environments.
  • Databases, files, and backups are encrypted at rest using AES-256.
  • All infrastructure access requires two-factor, multi-stage authentication.
  • We use Cloudflare to supplement our infrastructure’s resilience.
  • Enforced usage of strong passwords, password managers, client encryption, mobile device management, and screen locking.
  • All employees undergo a criminal background check prior to hiring.

Security is a never-ending job and we are constantly seeking to improve.

If you have any questions about our security efforts or suggestions on how HackerOne could be improved, please let us know at feedback@hackerone.com.

As part of our commitments to our customers, we further commit to specific Data & Information Security Terms. These cover policy, security, management, incident response, and more to detail how we protect customer data.

Compliance

We provide our users with a service, and they look to us to ensure we have adequate internal controls over our systems and their data.

We’ve engaged respected third-party firms to audit our infrastructure and security practices, resulting in a System and Organization Controls (SOC) 2 Type II audit report, FedRAMP authorization, ISO 27001 certification, and UK Cyber Essentials certification.

The HackerOne Platform runs on Amazon Web Services (AWS). We recommend you also review their compliance information at aws.amazon.com/compliance.

aicpa
SOC 2

SOC 2 is a means for ensuring a service provider adequately secures customer data, and the SSAE 18 audit standard assures customers that a provider’s security apparatus is working smoothly. Our SOC 2 Type II report covering the security, availability, and confidentiality trust service criteria is available under NDA to current and prospective customers, but our SOC 3 report is available here for anyone to review.

FedRamp logo
FedRAMP

FedRAMP is a U.S. federal government program that provides a standardized approach to security assessment, authorization, and continuous monitoring of cloud products and services to ensure that the proper level of security is in place when government agencies seek to access them. The program offers a "do once, use many times" authorization model, speeding up the government's adoption of cloud services so that the agencies do not have to individually evaluate the same offerings. We are FedRAMP Authorized at the Tailored Low-Impact SaaS level. Our authorization package can be obtained by agencies from the FedRAMP PMO.

Cyber Essentials Plus
UK Cyber Essentials Plus

UK Cyber Essentials Plus is a government-defined scheme to help organizations protect against common cyber-security threats. We have attained Cyber Essentials Plus by passing a third party assessment to validate that we meet the requirements outlined in the Cyber Essentials Scheme. Our certificate can be viewed here.

UK Cyber Essentials Logo
UK Cyber Essentials

UK Cyber Essentials is a government-defined scheme to help organizations protect against common cyber-security threats. We have attained the Cyber Essentials badge and meet the requirements outlined in the Cyber Essentials Scheme. Our certificate can be viewed here.

ISO 27001
ISO 27001

ISO 27001 provides requirements for an information security management system within the context of an organization. Our certification can be viewed here.

ISO 29147
ISO 29147

ISO 29147 provides requirements on the disclosure of vulnerabilities in products and services. We are in compliance with these requirements and can help our customers comply as well.

ISO 30111
ISO 30111

ISO 30111 provides guidelines for how to process and resolve potential vulnerability information in a product or online service. We are in compliance with these requirements and can help our customers comply as well.

Vendor Security Alliance Logo
Vendor Security Alliance

The Vendor Security Alliance (VSA) is a coalition of companies committed to improving internet security. They provide a questionnaire to ensure vendors have appropriate security controls in place. Our VSA CORE questionnaire can be viewed here.

PCI Security Standards Council Logo
PCI

The PCI Security Standards Council helps develop and implement security standards for account data protection. We do not store, process, and/or transmit cardholder data, and instead use Stripe, a third-party processor certified as a PCI Level 1 service provider. See how Stripe protects credit card data. For our part in accepting credit cards, we have completed the PCI DSS Self-Assessment Questionnaire and the related Attestation of Compliance, both of which are available upon request.

Section 508 Logo
Section 508

Section 508 is a U.S. federal law mandating that all information and communications technology used by the government be accessible to people with disabilities. Our platform supports or partially supports this requirement, details of which can be found in our Voluntary Product Accessibility Template (VPAT).

HackerOne Sanctions FAQ

HackerOne is actively monitoring the evolving events surrounding the Russian invasion of Ukraine to ensure the best possible outcomes for the hacker community, our employees, and the customers we serve.

We sincerely sympathize with the frustration and uncertainty faced by hackers and customers affected by exports controls and sanctions in areas such as Russia, Belarus, and occupied areas of Ukraine. We also recognize delays have occurred with various payment mechanisms. We are making every effort to do the right thing for all involved while complying with the U.S. laws. We continue to prioritize identifying and resolving any issues encountered by Ukrainian hackers. 

We understand that there are many questions, and we appreciate your patience while we ensure we can provide accurate answers. If the FAQ does not answer your question, please email sanctions@hackerone.com

Provide your information and choose documents to receive.

Transparency

We believe all technology contains vulnerabilities and the public plays a crucial role in identifying these gaps.

How we approve security

How we improve our own security

Since we are a technology company, we encourage the public to seek and report potential security vulnerabilities in our technology, and we even use our own technology to facilitate this process. That includes working with them to resolve the issue and ensuring they are fairly compensated for their discovery.

We also believe in transparency when it comes to our security, and that public disclosure not only reassures our customers, it makes the internet safer for everyone. When valid vulnerabilities are discovered in our technology, they are publicly disclosed once confirmed and resolved. You can see those disclosures on our Hacktivity page, which shows information from our vulnerability disclosure and bug bounty programs. Additionally, our latest hacker-powered penetration test results can be freely reviewed.

Transparency also extends to our platform uptime, incidents, and service level agreements, details of which are available on our status page.