Privacy Policy — HackAdvisor Browser Extension

Last updated: 20.05.2026

This is the privacy policy for the HackAdvisor — Program Reviews browser extension.

The short version

The extension sends one thing to HackAdvisor: the URL of the bug bounty program page you are currently viewing, so it can look up that program's review count. Nothing else leaves your browser.

What the extension does

When you visit a bug bounty program page on a supported platform (HackerOne, Bugcrowd, YesWeHack, Intigriti, Standoff 365, BI.ZONE and Immunefi), the extension asks the HackAdvisor API how many community reviews that program has, and shows the result in a small widget.

What is sent

To https://hackadvisor.io/api/v1/extension/lookup, over HTTPS: the program-page URL you are currently viewing (for example, https://hackerone.com/example). That is the complete list. The request carries no cookies, no credentials, and no custom identifying headers.

What is NOT collected

• No name, email address, or any account identity — the extension has no login.
• No browsing history — only the single program page you are actively viewing is looked up, and only while you are on it.
• No host-page content — the extension detects program pages from the URL alone and never reads, scrapes, or transmits the content of any web page.
• No cookies or local credentials.
• No analytics, telemetry, advertising, or fingerprinting SDKs of any kind.

What is stored on your device

Two small values, in your browser's local extension storage, never transmitted:

1. Enabled — whether the widget is turned on (controlled by the popup).
2. Dismissed programs — programs whose widget you have dismissed, so it stays hidden.

You can clear both at any time by removing the extension.

Data sharing and selling

HackAdvisor does not sell your data and does not share it with third parties. The program-URL lookup is served only by HackAdvisor's own API.

Server-side handling

The lookup endpoint is rate-limited by IP and returns a cacheable, read-only result. Standard web-server access logs (IP address, timestamp) apply, as for any HTTPS request. See the HackAdvisor site terms for the broader picture.

Permissions

The extension requests only storage and access to hackadvisor.io for the lookup API, plus the ability to run on supported bug bounty platforms to display the widget. It requests no broad host access and contains no remote code.

Changes

Material changes to this policy will be reflected by the "Last updated" date above and, where appropriate, in the extension's update notes.

Contact

Questions about this policy: privacy@hackadvisor.io

HackAdvisor — The Bug Bounty Community