// Trust & Security Report
HackerOne
Crowdsourced Security / Continuous Threat Exposure Management
Certifications held
12
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.hacker.one“SOC 2 Type 2 listed under 'Compliance and trust' on HackerOne's trust center profile, with SOC 2 Type II Report available on request.”
Verify on trust.hacker.one“ISO-27001 listed under certifications on HackerOne's trust center. ISO27001/27701 Certificate and Statement of Applicability are downloadable from the trust center.”
Verify on trust.hacker.one“ISO-27701 listed explicitly alongside ISO-27001 in the trust center certification list.”
Verify on trust.hacker.one“PCI DSS listed as a certification on the trust center. PCI DSS SAQ available on request.”
Verify on hackerone.com“Achieving FedRAMP Tailored LI-SaaS authorization is a testament to HackerOne's long-standing commitment to ensuring a secure environment for our U.S. government clients. — Lynn Chia, Director of Federal at HackerOne (May 2020)”
Verify on trust.hacker.one“UK Cyber Essentials Plus listed as a certification; Cyber Essentials Plus Certificate is directly downloadable (PDF) from the trust center.”
Verify on trust.hacker.one“ISO 29147 listed under trust center certifications.”
Verify on trust.hacker.one“ISO 30111 listed under trust center certifications.”
Verify on trust.hacker.one“EU - US DPF listed as a certification on the trust center profile.”
Verify on trust.hacker.one“Vendor Security Alliance listed under trust center certifications.”
Verify on trust.hacker.one“GDPR listed as a trust center certification. Privacy policy explicitly designates HackerOne as a controller under GDPR with full data subject rights; DPA pre-signed and publicly available.”
Verify on hackerone.com“CCPA listed in trust center certifications. Privacy policy confirms: 'WE DO NOT SELL OR SHARE YOUR PERSONAL DATA FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING.'”
> Show 1 unconfirmed / not-held certifications
source: trust.hacker.oneNot listed in trust center certifications. No mention found on hackerone.com or trust.hacker.one.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (primary). EU-US DPF and Standard Contractual Clauses protect EU data transfers. No multi-region residency option documented for standard tiers.
Generative AI (Hai): 'HackerOne will not use Customer Input or AI Output to train or improve any shared or general-purpose artificial intelligence models.' (source: hackerone.com/terms/AI). Hai AI documentation confirms: 'Hai does not train, fine-tune, or otherwise improve GenAI or large language models on customer or researcher data.' LLMs are stateless with zero data retention. Non-generative ML features may use Customer Input for service improvement, but 'AI Usage Data will not include Customer Confidential Information and will not be used in a manner that identifies Customer.' Admins can disable customer-facing Hai capabilities.
// Security controls
Bug Bounty (self-hosted on own platform)
HackerOne runs its own public bug bounty program on the HackerOne platform. Disclosures published on their Hacktivity page.
trust.hacker.onePenetration Testing
Annual Pen Test Report, Code Review Pen Test Report, and Pen Test Report with Findings Remediated all available on request from trust center.
trust.hacker.oneAccess Control
Trust center lists Access Control, Data Access, Logging, and Password Security as documented controls.
trust.hacker.oneBusiness Continuity
BCP, DRP, and Incident Response Plan documents available on request via trust center.
trust.hacker.oneAI Governance
Artificial Intelligence (AI) Governance Framework Policy and Acceptable Use of AI Policy both available on request via trust center.
trust.hacker.oneData Processing Agreement
Pre-signed DPA incorporating Standard Contractual Clauses publicly available.
hackerone.comVulnerability Disclosure Transparency
Valid vulnerabilities in HackerOne's own systems are publicly disclosed once confirmed and resolved, visible on the Hacktivity page.
trust.hacker.one// Products & data scope
data: Customer vulnerability reports, scoped assets, researcher communications, payment data. Vulnerability data remains Customer Data. No GenAI training on this data.
Supports public and private programs. 2M+ researcher community. Customers can disable Hai AI features.
data: Customer application data, scope definitions, pentest findings. Compliance-ready reports for SOC 2, ISO 27001, FedRAMP.
AWS-specific pentesting available. AI-driven agentic pentest scales attack surface coverage.
data: Live application assets, vulnerability findings. Data governed by same SOC 2 / ISO 27001 controls.
Pentest-grade signal continuously rather than point-in-time.
data: Customer AI systems and models under test. Mapped to OWASP LLM Top 10, MITRE ATLAS, NIST AI RMF.
Specialist product for organizations deploying AI systems. Different data scope from platform products.
data: Source code when authorized via SCM integrations. Access governed by JIT principles with full audit logging.
Hai accesses source code only when authorized. Fix-ready findings delivered into existing workflows.
data: External researcher reports, internal triage data. GDPR-compliant disclosure channel.
Often used to meet regulatory disclosure mandates. Free/low-cost entry tier available for public programs.
data: Accesses vulnerability reports, metadata, app behavior, source code (when authorized), documentation, issue tracker data. Stateless LLMs; zero data retention post-request.
Admins can disable customer-facing Hai features. HackerOne continues using Hai internally for Triage even when disabled.
// What to watch
- FedRAMP authorization is Tailored LI-SaaS (Low Impact), not Moderate or High. Government agencies requiring higher impact levels should verify separately.
- Non-generative ML features may use Customer Input for service improvement (not GenAI). Admins should review AI terms at hackerone.com/terms/AI if sensitive.
- Hai AI continues operating internally for Triage even when admins disable customer-facing Hai features. Customers should be aware of this distinction.
- HackerOne itself is a security vendor, so it operates its own bug bounty program on its own platform, providing exceptional transparency into its own vulnerability posture.
// At a glance
Pricing model
Enterprise / sales-led. No public pricing. Bug bounty programs pay per confirmed result (pay-for-results model). Pentest and continuous testing on subscription/contract basis.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on HackerOne's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.hacker.one