Must Read
Header Requirements
Set a custom HTTP header in all your testing traffic. Once again, report to us what header you set so we can identify it easily for deconfliction purposes.
| Identifier Type | Format | Example |
|---|
| Your Username | X-Bug-Bounty:HackerOne-<username> | X-Bug-Bounty:HackerOne-username |
| Tool Identifier | X-Bug-Bounty:<toolname> | X-Bug-Bounty:BurpSuitePro |
- Scope Inclusions: Third-party assets outside of our control. We cannot authorize you to test assets that we do not host. Any such reports will be closed as Informative, but on occasion, we may reward a bonus if value to HackerOne's security posture is demonstrated. Note that issues within our control always fall within the scope of our program. This includes correct asset configuration and vulnerabilities/patching relating to self-hosted assets.
Hint & Tips
- Sandboxes: HackerOne offers a sandbox for hackers to help them test program functionality for security vulnerabilities. To create a program, go here. You can select any product edition, giving you access to almost all features HackerOne offers. Hackers can create up to 30 programs in the sandbox.
- Existence of Invite-Only Programs: HackerOne has six different program states that are important to understand: sandbox, invite-only, public, external program, external program + sandbox, and external program + invite-only. It is only a valid vulnerability when there is a difference between the sandbox and invite-only programs. It is not a vulnerability when you can't distinguish a sandboxed program from an invite-only program. You can use the following example program handles for your tests.
| Program state | Program handle | ID | Node ID |
|---|
| Sandbox | @security-test-sandbox | 49806 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDY= |
| Invite-only | @security-test-invite-only | 49807 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDc= |
| Public | @security | 13 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vMTM= |
| External program | @security-test-ep | 49803 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDM= |
| External program + sandbox | @security-test-ep-sandbox | 49804 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDQ= |
| External program + invite-only | @security-test-ep-invite-only | 49805 | Z2lkOi8vaGFja2Vyb25lL1RlYW0vNDk4MDU= |
- Other Object Identifiers for Proof of Concept: You may use the following object identifiers to test again on hackerone.com. Feel free to use these for a proof of concept when submitting a report to us.
| GraphQL ID | Class | ID | Note |
|---|
Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS81ODU3OQ== | StructuredScope | 58579 | An asset belonging to @security-test-sandbox |
Z2lkOi8vaGFja2Vyb25lL1N0cnVjdHVyZWRTY29wZS8xMDA1Nzg= | StructuredScope | 100578 | An asset belonging to @security-test-invite-only |
DoS Testing Policy
🚀 Rules Overview
- Single request, single user, single IP only
- No automated tools or high-volume attacks
- Test Mon–Thu, off-peak hours only (9pm UTC – 6am UTC)
- Stop immediately if service degrades to avoid risk to bounty eligibility
- Mention your IP and timezone when the attack was conducted (for internal audit)
- Cache poisoning DoS will be evaluated on a case-by-case basis based on impact
💰 Reward
- DoS (Medium Severity): $2,500 USD
==Reports that include prohibited actions will not be eligible for a reward.==
⚠️ Eligibility
To qualify for a DoS reward, findings must demonstrate measurable degradation of HackerOne's servers or infrastructure (e.g. increased response times, service unavailability, or resource exhaustion on our systems).
Testing Guidelines
✅ Allowed
- Single-user realistic actions only
- Gradual testing (start with 1–2 requests)
- Cross-IP validation required (send requests from a single IP, cross-check service/delay from another IP)
- Immediate stop when impact is detected
❌ Prohibited
- DDoS or multiple IPs
- Automated tools (scripts, bots, etc.)
- Resource exhaustion attacks
- Data corruption or manipulation
