Hackers, we hear you. Unresponsive programs are a drain on your time and your sanity. That’s why over the past few months we’ve been maniacally focused on improving responsiveness platform-wide.
In January we announced platform-wide response standards requiring that all reports have a response within 5 business days and are triaged within 10 business days. As of today, 84% of active programs now meet these standards and each program’s response metrics are displayed on their program page for you to see.
We're working closely with the remaining 16% of programs that aren't there yet to get them caught up. You can identify these temporary exceptions by looking at the response efficiency metrics:
Going forward, all programs are required to maintain our response standards.
Our commitment to you
No matter what HackerOne program you choose to hack on, you deserve to know how responsive that program is and what its payouts look like before you start. You should expect responsive communication and timely bounty payouts from all programs (those managed by HackerOne and those that are not).
The current average time to bounty on the platform is 27 business days after a report has been triaged, and we'll be working on improving this metric next.
Cleaning up stale reports
These efforts do not, however, address a separate but important issue for hackers: inactive programs with unresolved reports. Some of these stale reports have been triaged and are just awaiting a fix while others are new and are yet to receive a response.
As of today, we have disabled these inactive programs and closed their open reports as Informative. Hackers will not be penalized in any way by these report closures; no loss of signal, reputation, or impact.
While we can’t pay bounties on old reports, each hacker with an open report in an inactive program will receive a token of appreciation for your work and dedication to our community. Keep an eye on your email inbox for more information soon.
Reputation awarded on triage
In addition, we know that hackers submitting valid reports often wait months to see the fruits of their hacking efforts (in terms of gained reputation and improved signal). Historically, reputation had been awarded on resolution, leaving hackers dependent on development timelines of individual programs. All that ended last week. Going forward, reputation (+7) will be awarded on triage so your efforts are more immediately recognized. Additional reputation for bounty and impact will still be awarded on on resolution to make sure your work is rewarded accordingly.
Together, we are making the internet safer. Without you, the amazing hacker community, HackerOne wouldn’t exist, plain and simple. We’d love to hear from you so please reach out! #TogetherWeHitHarder
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.