// Trust & Security Report

    HackerOne logo

    HackerOne

    Crowdsourced Security / Continuous Threat Exposure Management

    Certifications held

    12

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    SOC 2 Type 2 listed under 'Compliance and trust' on HackerOne's trust center profile, with SOC 2 Type II Report available on request.

    Verify on trust.hacker.one
    ISO 27001
    HELD

    ISO-27001 listed under certifications on HackerOne's trust center. ISO27001/27701 Certificate and Statement of Applicability are downloadable from the trust center.

    Verify on trust.hacker.one
    ISO 27701
    HELD

    ISO-27701 listed explicitly alongside ISO-27001 in the trust center certification list.

    Verify on trust.hacker.one
    PCI DSS
    HELD

    PCI DSS listed as a certification on the trust center. PCI DSS SAQ available on request.

    Verify on trust.hacker.one
    FedRAMP (Tailored LI-SaaS)
    HELD

    Achieving FedRAMP Tailored LI-SaaS authorization is a testament to HackerOne's long-standing commitment to ensuring a secure environment for our U.S. government clients. — Lynn Chia, Director of Federal at HackerOne (May 2020)

    Verify on hackerone.com
    UK Cyber Essentials Plus
    HELD

    UK Cyber Essentials Plus listed as a certification; Cyber Essentials Plus Certificate is directly downloadable (PDF) from the trust center.

    Verify on trust.hacker.one
    ISO 29147 (Vulnerability Disclosure)
    HELD

    ISO 29147 listed under trust center certifications.

    Verify on trust.hacker.one
    ISO 30111 (Vulnerability Handling)
    HELD

    ISO 30111 listed under trust center certifications.

    Verify on trust.hacker.one
    EU-US Data Privacy Framework (DPF)
    HELD

    EU - US DPF listed as a certification on the trust center profile.

    Verify on trust.hacker.one
    Vendor Security Alliance (VSA)
    HELD

    Vendor Security Alliance listed under trust center certifications.

    Verify on trust.hacker.one
    GDPR
    HELD

    GDPR listed as a trust center certification. Privacy policy explicitly designates HackerOne as a controller under GDPR with full data subject rights; DPA pre-signed and publicly available.

    Verify on trust.hacker.one
    CCPA / CPRA
    HELD

    CCPA listed in trust center certifications. Privacy policy confirms: 'WE DO NOT SELL OR SHARE YOUR PERSONAL DATA FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.'

    Verify on hackerone.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    Not listed in trust center certifications. No mention found on hackerone.com or trust.hacker.one.

    source: trust.hacker.one

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (primary). EU-US DPF and Standard Contractual Clauses protect EU data transfers. No multi-region residency option documented for standard tiers.

    Generative AI (Hai): 'HackerOne will not use Customer Input or AI Output to train or improve any shared or general-purpose artificial intelligence models.' (source: hackerone.com/terms/AI). Hai AI documentation confirms: 'Hai does not train, fine-tune, or otherwise improve GenAI or large language models on customer or researcher data.' LLMs are stateless with zero data retention. Non-generative ML features may use Customer Input for service improvement, but 'AI Usage Data will not include Customer Confidential Information and will not be used in a manner that identifies Customer.' Admins can disable customer-facing Hai capabilities.

    // Security controls

    Bug Bounty (self-hosted on own platform)

    HackerOne runs its own public bug bounty program on the HackerOne platform. Disclosures published on their Hacktivity page.

    trust.hacker.one

    Penetration Testing

    Annual Pen Test Report, Code Review Pen Test Report, and Pen Test Report with Findings Remediated all available on request from trust center.

    trust.hacker.one

    Access Control

    Trust center lists Access Control, Data Access, Logging, and Password Security as documented controls.

    trust.hacker.one

    Business Continuity

    BCP, DRP, and Incident Response Plan documents available on request via trust center.

    trust.hacker.one

    AI Governance

    Artificial Intelligence (AI) Governance Framework Policy and Acceptable Use of AI Policy both available on request via trust center.

    trust.hacker.one

    Data Processing Agreement

    Pre-signed DPA incorporating Standard Contractual Clauses publicly available.

    hackerone.com

    Vulnerability Disclosure Transparency

    Valid vulnerabilities in HackerOne's own systems are publicly disclosed once confirmed and resolved, visible on the Hacktivity page.

    trust.hacker.one

    // Products & data scope

    H1 BountyBug Bounty Platform

    data: Customer vulnerability reports, scoped assets, researcher communications, payment data. Vulnerability data remains Customer Data. No GenAI training on this data.

    Supports public and private programs. 2M+ researcher community. Customers can disable Hai AI features.

    H1 Pentest / H1 Agentic PentestPentest as a Service (PTaaS)

    data: Customer application data, scope definitions, pentest findings. Compliance-ready reports for SOC 2, ISO 27001, FedRAMP.

    AWS-specific pentesting available. AI-driven agentic pentest scales attack surface coverage.

    H1 Continuous TestingContinuous Security Testing

    data: Live application assets, vulnerability findings. Data governed by same SOC 2 / ISO 27001 controls.

    Pentest-grade signal continuously rather than point-in-time.

    H1 AI Red TeamingAI Security Testing

    data: Customer AI systems and models under test. Mapped to OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF.

    Specialist product for organizations deploying AI systems. Different data scope from platform products.

    H1 CodeAI-Assisted Code Security

    data: Source code when authorized via SCM integrations. Access governed by JIT principles with full audit logging.

    Hai accesses source code only when authorized. Fix-ready findings delivered into existing workflows.

    H1 Response (VDP)Vulnerability Disclosure Program

    data: External researcher reports, internal triage data. GDPR-compliant disclosure channel.

    Often used to meet regulatory disclosure mandates. Free/low-cost entry tier available for public programs.

    Hai (Agentic AI Orchestrator)AI Security Agent

    data: Accesses vulnerability reports, metadata, app behavior, source code (when authorized), documentation, issue tracker data. Stateless LLMs; zero data retention post-request.

    Admins can disable customer-facing Hai features. HackerOne continues using Hai internally for Triage even when disabled.

    // What to watch

    • FedRAMP authorization is Tailored LI-SaaS (Low Impact), not Moderate or High. Government agencies requiring higher impact levels should verify separately.
    • Non-generative ML features may use Customer Input for service improvement (not GenAI). Admins should review AI terms at hackerone.com/terms/AI if sensitive.
    • Hai AI continues operating internally for Triage even when admins disable customer-facing Hai features. Customers should be aware of this distinction.
    • HackerOne itself is a security vendor, so it operates its own bug bounty program on its own platform, providing exceptional transparency into its own vulnerability posture.

    // At a glance

    Pricing model

    Enterprise / sales-led. No public pricing. Bug bounty programs pay per confirmed result (pay-for-results model). Pentest and continuous testing on subscription/contract basis.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on HackerOne's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.hacker.one

    > Browse all vendor trust reports