By engaging with the HackerOne Code platform, customers, fellow members, and HackerOne core team members, all reviewers agree to help empower our community by following the Code of Conduct (CoC).
Effective Date: Oct 1, 2022
Code of Conduct
By engaging with the HackerOne platform, customers, fellow members, and HackerOne core team members, all Reviewers agree to help empower our community by following the Code of Conduct (CoC). The CoC is in addition to relevant items our Terms of Use, Privacy Policy and the executed agreements completed prior to activating your Reviewer status for eligibility to work on the platform.
Behave professionally
Platform interactions should be at all times respectful and communicated in a professional manner and tone with a view to being beneficial to the review validation process. Creating unnecessary noise, leaving rude/terse comments, or spamming comments are some examples which can be considered unprofessional behavior. These actions are unhelpful for organizations seeking professional help and impact the reputations of the code review platform, you as a Reviewer on the platform, and fellow Reviewer members of the community.
Slack Communication
Reviewer Slack communication should follow the same guidelines as general CoC. Creating unnecessary noise, leaving rude or lewd comments or images, or spamming posts for an update are considered unprofessional behavior. If it is confirmed that a Reviewer account is tied to actions which amount to a breach(es) of our CoC, enforcement action may be taken. Reviewers are permitted to use the Slack channels based on the intention set in the channel name and description. Reviewers are permitted to post content such as job opportunities with 3rd party organizations in the #general channel. Reviewers should post support issues or suggestions for improvements in the #support or #suggestions channel respectively. Reviewers will be added to the language specific private channels on an as-needed basis.
We encourage a friendly community with discussions both related and unrelated to code review, but be respectful and remember that there’s a human on the other side of the screen.
Some examples of inappropriate behavior:
Judging the question or the person asking the question (“this is a dumb question”).
Soliciting personal information (such as marital status, sexual orientation, phone number, address, etc).
Continued one-on-one communication after requests to cease.
Acknowledgment of communication styles & interpretations
We understand and acknowledge that the context of providing professional feedback for individuals' work in peer code review workflows has many nuances, and that the lines of constructive criticism vs. non-constructive criticism can be circumstantial. We also understand and acknowledge that individuals tend to receive professional feedback differently. Any feedback provided to customers that is both reasonably related in subject matter and reasonably phrased, but received negatively (e.g., a code author takes offense) is NOT considered unprofessional behavior. These situations will be evaluated on a case-by-case basis by core members of the HackerOne team.
Examples of unprofessional behavior in the form of code review feedback:
🚫 "The way you structured this component is dumb."
🚫 "Are you seriously going to just print the user's SSN to the console?"
🚫 "Wow this is bad. You need to just throw this away and try again."
Examples of code review feedback which likely would not be considered unprofessional behavior:
✅ "I have some concerns with the overall design of this component. As is, it doesn't follow conventional standards and best practices."
✅ "Printing PII like the user's SSN to the console is a critical security issue. My assumption is it's left over from debugging."
✅ "Unfortunately, the implementation of this feature is convoluted and error-prone. My opinion is that it would be more time-efficient to start from scratch. Here's the approach I would take..."
Do not disclose private repository details
Private repository code review details including: organization name, repository name, scope, proprietary functionality, team composition, account information, or any other information considered confidential may result in enforcement actions.
When collaborating with other Reviewer members or core HackerOne team members, be sure to use communication channels which are not accessible to any non-community members. This includes Slack and email.
Only communicate with customers through approved channels
Only use approved communication channels unless the program has intentionally provided a contact method to the Reviewer and communication is facilitated via the code review platform or a medium approved and administered by a core HackerOne team member. Contacting customers “out-of-band” is a violation of this CoC. The code review platform (reviewer.pullrequest.com) is considered an approved communication channel; any others will either be explicitly specified in the code review platform or by a core HackerOne team member.
What if a customer contacts me outside of the code review platform?
If a customer contacts you outside of the code review platform, and in a way which is not approved or facilitated by a core HackerOne team member, please report it to any staff member in the PullRequest Reviewers Slack Workspace and/or to [email protected].
No unauthorized use of intellectual property
Customers entrust our community to keep their code safe; any duplication or unauthorized extraction of intellectual property, including repository assets, is prohibited.
This includes (but is not limited to):
Attempting to clone private repositories.
Extracting large blocks of logic to run on a local machine.
Gaining access to and using accounts or production credentials not approved per the organization.
No abusive language
Any discrimination based on age, ethnicity, level of experience, nationality, personal appearance, race, religion, sexual or gender identity and orientation, physical appearance, political beliefs, or other protected classes is not tolerated.
Hate speech, profanity, or any aggressive threats in comments or other communication methods is strictly prohibited. Violating this guideline includes posts on social media and other platforms. If it is confirmed that a Reviewer member account is tied to actions which amount to a breach(es) of our CoC, enforcement action may be taken.
No misuse or theft of intellectual property
Any unauthorized use of intellectual property will not be tolerated. This includes assuming the work of other Reviewer community members as your own.
Do not disclose organization information, confidential information or personal data without express written authorization
Disclosing organization information without previous authorization is not permitted. This encompasses social media, blog posts and any other disclosure methods.
This category also includes threats of disclosure. Enforcement actions will be escalated based on severity, means, and sensitivity of the disclosure
No extortion or blackmail
Any attempt to obtain material gain by coercion is not permitted and may amount to a criminal offense.
No unauthorized impersonation / social engineering
Any unauthorized attempts to socially engineer another party through impersonation of a core HackerOne employee, another member of the Reviewer community, an organization member or a falsified identity will not be tolerated.
Code of Conduct definitions
“Confidential Information”: means any information made available through the HackerOne platform or programs, including but not limited to vulnerability information, confidential information and know-how (including but not limited to ideas, formulae, compositions, processes, procedures and techniques, research and development information, computer program code, performance specifications, support documentation, drawings, specifications, designs, business and marketing plans, and customer and supplier lists and related information.
“Reviewer” means an individual using the HackerOne code review platform to provide code review services.
“Code Review Submission” means comments and documents and related materials evidencing a Reviewers activities related to a merge request, including, but not limited to: source code, collaborator comments, and comments from other members of the Reviewer community.
“The Mediation Team”: is a cross-functional group of stakeholders led by senior HackerOne support staff.
“Personal Data”: is information that relates to an identified or identifiable individual. If it is possible to identify an individual directly from the information you are processing, then that information may be Personal Data.
Examples of Personal Data (not exhaustive)
A person’s name;
IP address;
Cookie Identifier;
Email addresses;
Telephone numbers;
Physical addresses;
Date of birth;
Health history;
Ethnicity;
Sexual Orientation; and/or
Financial information: e.g. Banking information – credit card numbers, account numbers, sort codes
Enforcement Actions
The Reviewer Code of Conduct is enforced in accordance with the action guidelines below.
Please note that HackerOne reserves the right to escalate the severity of enforcement and sanctions in accordance with the nature of the offense and irrespective of previous offenses. Depending upon the severity of the offense, sanctions may include, without limitation, longer temporary bans, immediate removal from the Code Review Platform and/or a permanent ban.
Incident
First Offense
Second Offense
Third Offense
Fourth Offense
Unprofessional behavior
Warning
2nd Warning
Final Warning
Temporary Ban
Unauthorized duplication of private repository assets
Final Warning
Temporary Ban (2-3 weeks)
Temporary Ban (3 months)
Account Removal
Discussing confidential information without approval
Final Warning
Temporary Ban (2-3 weeks)
Temporary Ban (3 months)
Account Removal
Contacting customer team members out-of-band
Final Warning
Temporary Ban (2-3 weeks)
Temporary Ban (3 months)
Account Removal
Abusive language or harassment
Final Warning
Temporary Ban (2-3 weeks)
Temporary Ban (3 months)
Account Removal
Extortion and Blackmail
Account Removal
Unauthorized impersonation / Social Engineering
Account Removal
Statutory timeline of warnings: When a Warning is issued in accordance with this Code of Conduct, HackerOne considers that warning to be applicable for 12 months. Warnings which are over 12 months old expire and are not typically assessed when reviewing the severity of new warnings.
See something, say something: If you see another Reviewer violating these rules, please reach out to our team.