You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/hackers/hacker-mediation.md
+29-9Lines changed: 29 additions & 9 deletions
Original file line number
Diff line number
Diff line change
@@ -11,27 +11,47 @@ Hacker mediation requests commonly occur when a program's behavior is clearly ou
11
11
* A program claims a domain is in scope on their Security Page, then makes a last minute change to pull it out of scope based on your report.
12
12
* A program clearly outlines a vulnerability in a particular domain as being worth a minimum bounty, but then awards less than that amount or no bounty at all without providing an explanation.
13
13
14
-
><i>Note: Please don't share any report details with HackerOne in the initial request without explicit mutual agreement from the program. If more information is required to address the problem, HackerOne will arrange it with the program's security team.</i>
14
+
While HackerOne can't guarantee a resolution or override a security team's assessment, hacker mediation is used to successfully bring issues to the security team's attention, which results in a more favorable outcome for everyone involved. Please keep in mind that if a program is not managed or triaged by HackerOne, then the time to fully resolve the mediation might take longer than usual.
15
15
16
16
### Requesting Hacker Mediation
17
17
In order to request mediation:
18
18
1. Open the report you'd like to request HackerOne mediation support for.
When providing information about the mediation, please be as descriptive as possible about the nature of the disagreement. By default, the mediation team doesn’t have access to the original report as this is to protect the privacy of the information and parties involved in handling of reports. If no information is provided in the mediation request, this will increase the mediation response time, as the mediation team will have to take time to make sure they understand the context in order to provide the proper assistance.
33
+
34
+
> Note: Please don't share any report details with HackerOne in the initial request without explicit mutual agreement from the program. If more information is required to address the problem, HackerOne will arrange it with the program's security team.
35
+
36
+
As a reminder, hacker mediation is a privilege that is reserved for hackers with signal ≥ 1. In most cases, HackerOne will not be able to mediate for reports that have been closed for over 3 months. Please respect the guidelines above and only request mediation if it's deemed absolutely necessary. Abuse of the hacker mediation process will result in this privilege being revoked from your account.
26
37
27
38
### Hacker Mediation Triggers
28
39
Requesting hacker mediation triggers the following actions:
29
-
1) An email is sent to the program's security team, requesting that they make their best effort to resolve the issue with the hacker within 3 business days.
40
+
1. An email is sent to the program's security team, requesting that they make their best effort to resolve the issue with the hacker within 3 business days.
30
41
31
-
2) If the security team doesn't respond to the hacker or if the situation isn't resolved, HackerOne will evaluate all available information about the vulnerability report, the hacker who requested mediation, and the organization to determine the appropriate level of escalation.
42
+
2. If the security team doesn't respond to the hacker or if the situation isn't resolved, HackerOne will evaluate all available information about the vulnerability report, the hacker who requested mediation, and the organization to determine the appropriate level of escalation.
32
43
33
-
3) If, in HackerOne's judgment, the hacker's case warrants bringing to the company's attention out of band, HackerOne's Customer Success team will do so.
44
+
3. If, in HackerOne's judgment, the hacker's case warrants bringing to the company's attention out of band, HackerOne's Customer Success team will do so.
34
45
35
-
While HackerOne can't guarantee resolution or override a security team's assessment, hacker mediation has been used to successfully bring items to the security teams' attention, resulting in a more favorable outcome for everyone involved.
46
+
4. If the security team is unable to respond to the hacker or if the situation is not promptly resolved, The Mediation team will contact all involved parties and work together with the hacker and program teams to gain an appropriate and timely outcome.
36
47
37
-
As a reminder, hacker mediation is a privilege that is reserved for hackers with signal ≥ 1. In most cases, HackerOne will not be able to mediate for reports that have been closed for over 3 months. Please respect the guidelines above and only request mediation if it's deemed absolutely necessary. Abuse of the hacker mediation process will result in this privilege being revoked from your account.
48
+
### Mediation requests vs Support Requests
49
+
Mediation requests are different from Support requests. When requesting for mediation, it’s important that you request for help for the right reasons, as some issues are best taken to HackerOne support instead. Here’s a table to help you see the difference between the type of requests:
50
+
51
+
Mediation Request | Support Request
52
+
----------------- | ---------------
53
+
Bounty disagreement (e.g: The bounty table specifies a different amount that the one awarded for this criticality) | Request help with a payment that didn’t go through
54
+
Resolution disagreement (e.g: The bug was marked as duplicate and the “original” report has an older report number) | Request credentials for a program
55
+
Unresponsiveness (e.g.: The triage team or the program provided no updates for a week) | Two-factor authentication resets
0 commit comments