HackerOne Community Edition: Let's do it!

We are in the process of applying for HackerOne Community Edition for our bug bounty program to provide incentives for people to do penetration testing and security assessments. In order for this to happen, I need each member project to add a SECURITY.md to the root of each git repository (on gitlab!).

Here are the requirements (verbatim from the above link):

  1. Open Source – Projects in scope must only be Open Source projects that are covered by an OSI license.
  2. Be Active – Projects must be active and at least 3 months old (age is defined by shipped releases/code contributions).
  3. Create a policy – You add a SECURITY.md in your project root that provides details for how to submit vulnerabilities (example).
  4. Advertise your program – Advertise your program – Display a link to your HackerOne profile from either the primary or secondary navigation on your project’s website.
  5. Be active – You maintain an initial response to new reports of less than a week.

Once this is done, it’s a matter of sending a simple email to HackerOne presenting our case, which should be more or less straight-forward.


Can we not test this out before adopting it wholesale publicly? Seems a bit backward process wise – best if we can evaluate and discuss first. @r0bby can you check with them to see if that’s possible?

I think we still need to do the items listed…