Bug Bounty Program Basics for Companies

What is a Bug Bounty & How it Works

Bug bounty program rules, called a Security Page, including do's, dont's, and award amounts

How do I tell hackers what I want?

Create your own hacker-powered security program page with instructions for hackers: what targets are in scope, what types of findings are eligible, what types are not, what rewards you will be paying, what behaviors are acceptable, and what the ideal vulnerability report should look like. Start with HackerOne's template, ask for help if you want it, modify as needed.

How do I decide how much to offer hackers?

Set bug bounty awards by technical classification of the bug and severity of its possible impact. For companies starting bug bounty programs (referred to as “Level 1”), we recommend a minimum of $150 for low severity vulnerabilities. The average for Level 1 companies across all vulnerability types is around $800. The current record bounty payment on HackerOne is $100,000. To get attention from the world's best hackers, we recommend you pay more than the platform average.

Chart of bug bounty program awards: $100 recommended, $500 average on HackerOne, and $30,000 record on HackerOne
A white hat saying qualified hackers only

“Personally I hack because I really love to build stuff and I also love to break stuff…the best way to know how to build stuff is to know how you can break it.”

Who are the hackers?

The HackerOne Platform allows you to privately invite a select group of hackers in a safe and controlled manner. Your private invitations are facilitated through HackerOne, and you’re able to leverage HackerOne’s existing relationships with more than 200,000 hackers across the globe. You identify and select hackers based on their activity on other bounty programs, as well as their Signal, Impact, and Reputation scores.

What Happens when a report comes in?

Your bug bounty team at HackerOne tests incoming bug reports for validity and works with the submitting hacker to collect any needed additional information. One of the most important parts of bug report management is smoothly handling communications with hackers. Transparency and candid feedback are paramount.

It is also vital to prioritize reports so that the most critical ones are acted upon first. HackerOne provides several ways to sort and filter bug reports to make this easy.

The bug bounty team then packages valid reports in a standardized way to simplify vulnerability management and remediation. Reports should include a summary, steps to reproduce, and an impact statement.

Graph showing first 10 days of a bug bounty program, with 4 received on day one and 10 by day 14
Sample security vulnerability report

How Does the hacker get paid for valid reports?

For valid bugs, HackerOne’s integrated, end-to-end payment platform handles hacker verification, payment, tax compliance, and reporting for you. With HackerOne, there’s no need to collect 1099s or other documentation - we take care of it all. Using our platform, customers have made over 40,000 payments to hackers in 90 countries. We apply the highest level of security to our payment system, and we keep it safe with a public bug bounty program.

What does a successful bug bounty program look like?

The most successful programs have a number of things in common. For starters, successful programs reward hackers with competitive bounties to maintain engagement.

Great programs evolve over time, as your business grows and as the threat landscape changes. A program with a static attack surface will see it naturally harden over time. Increasing scope and maintaining competitive bounties will keep the community engaged and enhance long term value.

Mixing things up with live hacking and other special competitions will rally the community and boost security.

Valid bugs are paid by HackerOne
Know when your bug bounty program is successful

Where and how bug bounties fit into sdlc

Whether formalized or not, every technology organization has a software development life cycle, or SDLC. An SDLC covers training, requirements, design, development, deployment, testing and response. While central to the testing and response phases, bug bounty programs provide important insights across all parts of the SDLC. For example, your bounty program may reveal an opportunity for best practices training to prevent gaps and vulnerabilities from occurring later. A bug bounty program can also alert you to ways to improve design practices.

Other best-practices include establishing a weekly on-duty rotation to share the load across the bug bounty team. This ensures successful program operations while members of the team maintain their other duties.

Implementing these best practices with HackerOne will produce quality, impactful vulnerabilities that a scanner would never find.

Why HackerOne?

HackerOne becomes your partner who executes all aspects of your bug bounty program, including triage, bounty pricing, and hacker relations, allowing you to fully focus on fixing vulnerabilities.

Built by Experts

We built HackerOne based on our experience leading vulnerability management and bug bounty programs at Facebook, Microsoft and Google.

Improve Efficiency

We help you bring order and leverage into the chaotic process of coordinating multiple researchers, reports and internal stakeholders.

Find Issues Faster

Benefit from an army of friendly hackers that quickly and continuously find security holes so you can better protect your users and your brand.

Hacker Trust

Every hacker action on the HackerOne platform builds reputation based on report validity, severity and more. The best researchers rise to the top.

Dynamic Platform Intellignce

HackerOne applies intelligent pattern matching to find common issues across companies and identify duplicate reports.

Confidential Reports

You decide who has access to your confidential reports. Control is always in your hands, and your hands only.

Some Of Our Customers

adobe
yahoo
google play
alibaba
dod
github
twitter
slack
oath
new relic
dropbox
uber
gm
bug bounty program /ˈbəg ˈbau̇n-tē ˈprō-ˌgram/ - A program where ethical hackers are invited to report security vulnerabilities to organizations, in exchange for monetary rewards for useful submissions. Bug bounties are commonly seen as the most effective and inexpensive way to identify vulnerabilities in live systems and products.