Reviewer Code of Conduct

Platform interactions should be at all times respectful and communicated in a professional manner and tone with a view to being beneficial to the review validation process. Creating unnecessary noise, leaving rude/terse comments, or spamming comments are some examples which can be considered unprofessional behavior. These actions are unhelpful for organizations seeking professional help and impact the reputations of the code review platform, you as a Reviewer on the platform, and fellow Reviewer members of the community.

Slack Communication

Reviewer Slack communication should follow the same guidelines as general CoC. Creating unnecessary noise, leaving rude or lewd comments or images, or spamming posts for an update are considered unprofessional behavior. If it is confirmed that a Reviewer account is tied to actions which amount to a breach(es) of our CoC, enforcement action may be taken. Reviewers are permitted to use the Slack channels based on the intention set in the channel name and description. Reviewers are permitted to post content such as job opportunities with 3rd party organizations in the #general channel. Reviewers should post support issues or suggestions for improvements in the #support or #suggestions channel respectively. Reviewers will be added to the language specific private channels on an as-needed basis.

We encourage a friendly community with discussions both related and unrelated to code review, but be respectful and remember that there’s a human on the other side of the screen.

Some examples of inappropriate behavior:

• Judging the question or the person asking the question (“this is a dumb question”).

• Soliciting personal information (such as marital status, sexual orientation, phone number, address, etc).

• Continued one-on-one communication after requests to cease.

Acknowledgment of communication styles & interpretations

We understand and acknowledge that the context of providing professional feedback for individuals' work in peer code review workflows has many nuances, and that the lines of constructive criticism vs. non-constructive criticism can be circumstantial. We also understand and acknowledge that individuals tend to receive professional feedback differently. Any feedback provided to customers that is both reasonably related in subject matter and reasonably phrased, but received negatively (e.g., a code author takes offense) is NOT considered unprofessional behavior. These situations will be evaluated on a case-by-case basis by core members of the HackerOne team. Examples of unprofessional behavior in the form of code review feedback:

• 🚫 "The way you structured this component is dumb."

• 🚫 "Are you seriously going to just print the user's SSN to the console?"

• 🚫 "Wow this is bad. You need to just throw this away and try again."

Examples of code review feedback which likely would not be considered unprofessional behavior:

• ✅ "I have some concerns with the overall design of this component. As is, it doesn't follow conventional standards and best practices."

• ✅ "Printing PII like the user's SSN to the console is a critical security issue. My assumption is it's left over from debugging."

• ✅ "Unfortunately, the implementation of this feature is convoluted and error-prone. My opinion is that it would be more time-efficient to start from scratch. Here's the approach I would take..."

Private repository code review details including: organization name, repository name, scope, proprietary functionality, team composition, account information, or any other information considered confidential may result in enforcement actions.

When collaborating with other Reviewer members or core HackerOne team members, be sure to use communication channels which are not accessible to any non-community members. This includes Slack and email.

Only use approved communication channels unless the program has intentionally provided a contact method to the Reviewer and communication is facilitated via the code review platform or a medium approved and administered by a core HackerOne team member. Contacting customers “out-of-band” is a violation of this CoC. The code review platform (reviewer.pullrequest.com) is considered an approved communication channel; any others will either be explicitly specified in the code review platform or by a core HackerOne team member.

What if a customer contacts me outside of the code review platform? If a customer contacts you outside of the code review platform, and in a way which is not approved or facilitated by a core HackerOne team member, please report it to any staff member in the PullRequest Reviewers Slack Workspace and/or to [email protected].

Customers entrust our community to keep their code safe; any duplication or unauthorized extraction of intellectual property, including repository assets, is prohibited. This includes (but is not limited to):

• Attempting to clone private repositories.

• Extracting large blocks of logic to run on a local machine.

• Gaining access to and using accounts or production credentials not approved per the organization.

Any discrimination based on age, ethnicity, level of experience, nationality, personal appearance, race, religion, sexual or gender identity and orientation, physical appearance, political beliefs, or other protected classes is not tolerated.

Hate speech, profanity, or any aggressive threats in comments or other communication methods is strictly prohibited. Violating this guideline includes posts on social media and other platforms. If it is confirmed that a Reviewer member account is tied to actions which amount to a breach(es) of our CoC, enforcement action may be taken.

Any unauthorized use of intellectual property will not be tolerated. This includes assuming the work of other Reviewer community members as your own.

Disclosing organization information without previous authorization is not permitted. This encompasses social media, blog posts and any other disclosure methods.

This category also includes threats of disclosure. Enforcement actions will be escalated based on severity, means, and sensitivity of the disclosure

Any attempt to obtain material gain by coercion is not permitted and may amount to a criminal offense.

Any unauthorized attempts to socially engineer another party through impersonation of a core HackerOne employee, another member of the Reviewer community, an organization member or a falsified identity will not be tolerated.

“Confidential Information”: means any information made available through the HackerOne platform or programs, including but not limited to vulnerability information, confidential information and know-how (including but not limited to ideas, formulae, compositions, processes, procedures and techniques, research and development information, computer program code, performance specifications, support documentation, drawings, specifications, designs, business and marketing plans, and customer and supplier lists and related information.

“Reviewer” means an individual using the HackerOne code review platform to provide code review services.

“Code Review Submission” means comments and documents and related materials evidencing a Reviewers activities related to a merge request, including, but not limited to: source code, collaborator comments, and comments from other members of the Reviewer community.

“The Mediation Team”: is a cross-functional group of stakeholders led by senior HackerOne support staff.

“Personal Data”: is information that relates to an identified or identifiable individual. If it is possible to identify an individual directly from the information you are processing, then that information may be Personal Data.

Examples of Personal Data (not exhaustive)

• A person’s name;

• IP address;

• Cookie Identifier;

• Email addresses;

• Telephone numbers;

• Physical addresses;

• Date of birth;

• Health history;

• Ethnicity;

• Sexual Orientation; and/or

• Financial information: e.g. Banking information – credit card numbers, account numbers, sort codes