Hacker Resources

Code of Conduct

The Bugcrowd Code of Conduct outlines the behaviors required of all Bugcrowd community members participating in crowdsourced security engagements, Bugcrowd online community offerings such as the #bugcrowd IRC channel, the Bugcrowd Researcher Slack channel, Discord, virtual and live hacking events, as well as any other programs and events that may be offered by Bugcrowd.

This Code of Conduct applies to all interactions you have with Bugcrowd team members, customers, and researchers. The Bugcrowd community is intended for everyone, from all walks of life, and following this Code of Conduct will help ensure that we maintain a safe and welcoming place for all. Please take a moment to learn more about Who We Are and our standard requirements to understand the platform culture of all Bugcrowd participants.

Who we are and what we require

Our top core values are simple:

  • Be kind.
  • Be respectful and professional in your communications and behavior, and in compliance with the Platform Behavior Standards.
  • Be Ethical. Don’t intentionally mislead customers or Bugcrowd. It is your job to try and break both technology and business logic flaws, but when you find a weakness it is also your job to report it to be fixed – not exploit it.
  • Help us improve. We do this through honest and insightful discussions with our peers and partners.

Vulnerability reporting standards

Be prompt in reporting vulnerabilities you have identified.

  • Disclosure Guidelines: Don’t share confidential vulnerability or customer information. Private program customers are private, and no submitted vulnerability (including duplicates, Out of Scope, Not Applicable, etc.) may be disclosed without explicit customer permission. Please read each Bounty Brief for specific program disclosure policies, which supersede (overrule) this bullet point. Always use the proper channels to disclose or communicate about vulnerability submissions. Contact Bugcrowd Support if you have any questions about disclosure.
  • If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating the impact of the vulnerability, and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information. In the event you access PII or other sensitive data, please note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors and the California Consumer Privacy Act of 2018, and the California Privacy Rights Act of 2020.
  • It is not acceptable to create placeholder submissions that are used to “squat” on findings (e.g., reports that are rapidly submitted with a vague title and no detailed replication steps in the initial report, etc.); all valid findings must be submitted with a full description, proof of concept, and complete replication steps in the original report. In cases where the initial report is lacking a description, proof of concept, and replication steps, those reports will be closed and must be resubmitted with the required information to be considered for the program. Please always submit complete, fully populated, and articulate reports.
  • Read and abide by Bugcrowd’s Standard Disclosure Terms and each program’s Bounty Brief. We expect you to follow all guidelines and rules that a particular crowdsourced security program or company has outlined regarding scope of testing and disclosure. For more information about disclosure policies at Bugcrowd, see our documentation.

Responsible use of GenAI tools

Do not use GenAI tools (applications and services that rely on generative artificial intelligence models to create new and original content, such as text, images, audio, and code [example: ChatGPT]) except in a manner that avoids disclosure of confidential information, ensuring that:

  • You comply with all platform and program policies
  • You maintain the confidentiality and security of all confidential information that is made available to you or that you find in the program owner’s data and assets
  • You maintain the confidentiality of all identified findings between you, Bugcrowd, and the program owner
  • You do not use 3rd-party GenAI tools to create vulnerability submissions unless explicitly authorized by the program owner to do so
  • You manually review and validate any vulnerability report you’ve created with the help of authorized GenAI tools before submitting it. (Reports determined to have been submitted without human review are subject to rejection.)

Updated Oct 6, 2025

Back to resources

More resources

Report

Inside the Mind of a CISO

Read More
Report

Report: Inside the Mind of a Hacker

Read More
Guide

Ultimate Guide to Crowdsourced Security in the Public Sector

Read More

Get Started with Bugcrowd

Every minute that goes by, your unknown vulnerabilities leave you more exposed to cyber attacks.

Try Bugcrowd Contact Us