Skip to main content

Bug Bounty Program Basics for Companies

Bug bounty program rules, called a Security Page, including do's, dont's, and award amounts

How do I tell hackers what I want?

Create your own security program page with instructions for hackers: what targets are in scope, what types of findings are eligible, what types are not, what rewards you will be paying, what behaviors are acceptable, and what the ideal vulnerability report should look like. Start with HackerOne's template, ask for help if you want it, modify as needed.

How do I decide how much to offer hackers?

Set bug bounty awards by technical classification of the bug and severity of its possible impact. We recommend a minimum of $100. The average is around $500 and the current record is $30,000. To get attention from the world's best hackers, pay more than the platform average.

Chart of bug bounty program awards: $100 recommended, $500 average on HackerOne, and $30,000 record on HackerOne
A white hat saying qualified hackers only

Who are the hackers?

Your hackers (also called security researchers or finders) are selected from the top tier of HackerOne. You can invite your own hackers, or HackerOne can customize your invitations for your specific needs. Your program starts private but can be made public.

How soon do I get vulnerability reports?

In the first day, expect 4 serious, non-duplicate vulnerability reports. The average customer should see an average of 10 vulnerability reports in the first 2 weeks. We can help you triage new reports for you with HackerOne Fully Managed .

Graph showing first 10 days of a bug bounty program, with 4 received on day one and 10 by day 14
Sample security vulnerability report

What happens when a report comes in?

Review the report for validity, using the report's proof of concept and the hacker's Reputation on HackerOne. If valid, fix the vulnerability on your own schedule.

How does the hacker get paid for valid reports?

For valid bugs, HackerOne handles the paperwork and payment to a hacker.

Valid bugs are paid by HackerOne
Know when your bug bounty program is successful

How do we know the bug bounty program is successful?

When you receive valid submissions, you know that your program is working. The sooner your engineering team can fix the bugs found, the more secure your system will be. When you deploy new software, you may want to offer new bounties to encourage repeat hackers to spend their time on you again.

Why HackerOne?

HackerOne becomes your partner who executes all aspects of your bug bounty program, including triage, bounty pricing, and hacker relations, allowing you to fully focus on fixing vulnerabilities.

Built by Experts

We built HackerOne based on our experience leading vulnerability management and bug bounty programs at Facebook, Microsoft and Google.

Improve Efficiency

We help you bring order and leverage into the chaotic process of coordinating multiple researchers, reports and internal stakeholders.

Find Issues Faster

Benefit from an army of friendly hackers that quickly and continuously find security holes so you can better protect your users and your brand.

Hacker Trust

Every hacker action on the HackerOne platform builds reputation based on report validity, severity and more. The best researchers rise to the top.

Dynamic Platform Intellignce

HackerOne applies intelligent pattern matching to find common issues across companies and identify duplicate reports.

Confidential Reports

You decide who has access to your confidential reports. Control is always in your hands, and your hands only.

Some Of Our Customers

adobe
yahoo
newrelic
uber
github
twitter
slack
square
dropbox
gm
bug bounty program /ˈbəg ˈbau̇n-tē ˈprō-ˌgram/ - A program where ethical hackers are invited to report security vulnerabilities to organizations, in exchange for monetary rewards for useful submissions. Bug bounties are commonly seen as the most effective and inexpensive way to identify vulnerabilities in live systems and products.