What is a Bug Bounty & How it Works
Create your own hacker-powered security program page with instructions for hackers: what targets are in scope, what types of findings are eligible, what types are not, what rewards you will be paying, what behaviors are acceptable, and what the ideal vulnerability report should look like. Start with HackerOne's template, ask for help if you want it, modify as needed.
Set bug bounty awards by technical classification of the bug and severity of its possible impact. For companies starting bug bounty programs (referred to as “Level 1”), we recommend a minimum of $150 for low severity vulnerabilities. The average for Level 1 companies across all vulnerability types is around $800. The current record bounty payment on HackerOne is $100,000. To get attention from the world's best hackers, we recommend you pay more than the platform average.
“Personally I hack because I really love to build stuff and I also love to break stuff…the best way to know how to build stuff is to know how you can break it.”
The HackerOne Platform allows you to privately invite a select group of hackers in a safe and controlled manner. Your private invitations are facilitated through HackerOne, and you’re able to leverage HackerOne’s existing relationships with more than 200,000 hackers across the globe. You identify and select hackers based on their activity on other bounty programs, as well as their Signal, Impact, and Reputation scores.
Your bug bounty team at HackerOne tests incoming bug reports for validity and works with the submitting hacker to collect any needed additional information. One of the most important parts of bug report management is smoothly handling communications with hackers. Transparency and candid feedback are paramount.
It is also vital to prioritize reports so that the most critical ones are acted upon first. HackerOne provides several ways to sort and filter bug reports to make this easy.
The bug bounty team then packages valid reports in a standardized way to simplify vulnerability management and remediation. Reports should include a summary, steps to reproduce, and an impact statement.
For valid bugs, HackerOne’s integrated, end-to-end payment platform handles hacker verification, payment, tax compliance, and reporting for you. With HackerOne, there’s no need to collect 1099s or other documentation - we take care of it all. Using our platform, customers have made over 40,000 payments to hackers in 90 countries. We apply the highest level of security to our payment system, and we keep it safe with a public bug bounty program.
The most successful programs have a number of things in common. For starters, successful programs reward hackers with competitive bounties to maintain engagement.
Great programs evolve over time, as your business grows and as the threat landscape changes. A program with a static attack surface will see it naturally harden over time. Increasing scope and maintaining competitive bounties will keep the community engaged and enhance long term value.
Mixing things up with live hacking and other special competitions will rally the community and boost security.
Whether formalized or not, every technology organization has a software development life cycle, or SDLC. An SDLC covers training, requirements, design, development, deployment, testing and response. While central to the testing and response phases, bug bounty programs provide important insights across all parts of the SDLC. For example, your bounty program may reveal an opportunity for best practices training to prevent gaps and vulnerabilities from occurring later. A bug bounty program can also alert you to ways to improve design practices.
Other best-practices include establishing a weekly on-duty rotation to share the load across the bug bounty team. This ensures successful program operations while members of the team maintain their other duties.
Implementing these best practices with HackerOne will produce quality, impactful vulnerabilities that a scanner would never find.
HackerOne becomes your partner who executes all aspects of your bug bounty program, including triage, bounty pricing, and hacker relations, allowing you to fully focus on fixing vulnerabilities.
We built HackerOne based on our experience leading vulnerability management and bug bounty programs at Facebook, Microsoft and Google.
We help you bring order and leverage into the chaotic process of coordinating multiple researchers, reports and internal stakeholders.
Benefit from an army of friendly hackers that quickly and continuously find security holes so you can better protect your users and your brand.
Every hacker action on the HackerOne platform builds reputation based on report validity, severity and more. The best researchers rise to the top.
HackerOne applies intelligent pattern matching to find common issues across companies and identify duplicate reports.
You decide who has access to your confidential reports. Control is always in your hands, and your hands only.