Skip to main content

5 Ways to Attract Top Hackers To Your Bug Bounty Program

  • May 2nd , 2016

Talented hackers are the key ingredient for any successful bug bounty program. They find the most interested and severe bugs, have high technical abilities, intense curiosity, and an eye for anomalies.

Bug bounty programs are competitive, with new challenging programs launching daily. Whether you are new to managing a bug bounty program or have years of experience, your bug bounty program needs to stand out to attract the top hackers.

Here are 5 tips for attracting the best hackers:

1. Go Beyond The Bounty

Award your best performing hackers. This sounds simple and logical in concept, but is harder to achieve in reality. Your top hackers are dedicating countless hours examining your software for vulnerabilities. Let them know they are appreciated. Here are a few examples of creative ways the most competitive teams reward their best hackers beyond paying bounties:

  • Send limited edition swag to top hackers
  • Co-author a blog post with a hacker who submitted a severe vulnerability
  • Create a Twitter handle for your security team to praise hackers and highlight well written reports
  • Fly in your top hacker to come and speak to your development teams

2. Pay Bounties At The Time Of Triage

Top hackers submit more reports to responsive programs. I’ve never spoken to a hacker who didn’t greatly appreciate fast turnaround and bounty payment. Paying bounties at time of triage is one way to increase hacker loyalty and repeat participation in your program. When you award a bounty at the time of triage, it signals to the hacker you are prioritizing his/her reports. There’s plenty of programs who wait until fix time to award bounties; if you want to get ahead of this curve, pay at time of triage.

3. Increase Your Rewards Over Time

The most competitive teams reevaluate their bounty prices regularly. We recommend you review your bounty prices every 6 months. Overtime your bounty minimum may increase or decrease, but ‘medium’ and ‘severe’ bounty payments should be consistently increasing to reflect your improved security. As your program matures, it will take more effort and time for hackers to find severe vulnerabilities, plus there are always shiny new programs launching which attract the attention of hackers with something fresh and interesting. The most competitive programs consistently increase bounties over time.

4. Set Clear Expectations Up Front

This may seem like a no-brainer, but I see many companies who don’t take the extra step to clearly articulate expectations in their policy. The most competitive programs use the scope to guide hackers to where they need their help the most. Being honest and transparent and sharing as much as possible up front with hackers sets the tone for your program. We also recommend sharing very clear expectations for average first response time, average resolution time, average time to bounty, and expected bounties by vulnerability type or severity. This information is already accessible in your HackerOne Dashboard. If your team isn’t comfortable sharing exact numbers for response times and bounties, use a range.

5. Ask Your Hackers For Feedback

This may sound like a cumbersome task, but is easier that you think. There are many ways to survey your hackers, whether it’s informally at the closure of a report, or working with HackerOne to send out a survey to your participating hackers. This is a great way to capture invaluable feedback to improve your program. By proactively taking steps to show hackers you care and value their feedback, you’re doing more than some of your peers.

Bonus

For public programs, a sure way to stand out is to be forthright with public disclosures. Not only are you contributing to the security community, you will pleasantly surprise many hackers by initiating the public disclosure. HackerOne offers both limited and full public disclosures, along with Summaries so your team has control over what content will be shared publicly, including the ability to redact any sensitive information.

Please contact customersuccess@hackerone.com if you want guidance in implementing ideas to make your program more competitive. We are here to serve as a resource and advisor to help you build a successful and robust bug bounty program.

Mary Xu, Customer Success

Recent articles

Announcing The Largest DoD bug bounty challenge ever: Hack The Air Force

The Air Force is asking hackers to take their best shot following the success of Hack the Pentagon and Hack the…

Zero Daily Newsletter: Fun, yet informative, AppSec, bug bounty, and hacker news

Read the news every day, and check the usual websites? Want to get your industry news and have a little humor…

More Hardware, More Problems

Bounties are for hardware, too. Microwaves notwithstanding, there is an increasing amount of connected…