Create your own security program page with instructions for hackers: what targets are in scope, what types of findings are eligible, what types are not, what rewards you will be paying, what behaviors are acceptable, and what the ideal vulnerability report should look like. Start with HackerOne's template, ask for help if you want it, modify as needed.
Set bug bounty awards by technical classification of the bug and severity of its possible impact. We recommend a minimum of $100. The average is around $500 and the current record is $30,000. To get attention from the world's best hackers, pay more than the platform average.
Your hackers (also called security researchers or finders) are selected from the top tier of HackerOne. You can invite your own hackers, or HackerOne can customize your invitations for your specific needs. Your program starts private but can be made public.
In the first day, expect 4 serious, non-duplicate vulnerability reports. The average customer should see an average of 10 vulnerability reports in the first 2 weeks. We can help you triage new reports for you with HackerOne Fully Managed .
Review the report for validity, using the report's proof of concept and the hacker's Reputation on HackerOne. If valid, fix the vulnerability on your own schedule.
For valid bugs, HackerOne handles the paperwork and payment to a hacker.
When you receive valid submissions, you know that your program is working. The sooner your engineering team can fix the bugs found, the more secure your system will be. When you deploy new software, you may want to offer new bounties to encourage repeat hackers to spend their time on you again.
HackerOne becomes your partner who executes all aspects of your bug bounty program, including triage, bounty pricing, and hacker relations, allowing you to fully focus on fixing vulnerabilities.
We built HackerOne based on our experience leading vulnerability management and bug bounty programs at Facebook, Microsoft and Google.
We help you bring order and leverage into the chaotic process of coordinating multiple researchers, reports and internal stakeholders.
Benefit from an army of friendly hackers that quickly and continuously find security holes so you can better protect your users and your brand.
Every hacker action on the HackerOne platform builds reputation based on report validity, severity and more. The best researchers rise to the top.
HackerOne applies intelligent pattern matching to find common issues across companies and identify duplicate reports.
You decide who has access to your confidential reports. Control is always in your hands, and your hands only.