One of the most important lessons we have learned is that organizations with the most successful bug bounty and Vulnerability Disclosure Programs are good partners with the hacker community. When hackers enjoy engaging with a program, there’s really no limit to their capabilities and creativity in finding critical security risks to an organization.
Implementing best practices for a top-notch vulnerability disclosure and bug bounty program can be a challenge; you want to do right by hackers and improve your security, but sometimes you’re just not sure what the best step is to move your program forward or how to signal to hackers that you run a top program.
Today, we’re pleased to announce a new tool to align your program with the state-of-the-art and signal your program maturity: Program Levels, a structured framework that lets programs level up by publicly committing to certain best practices.
Introducing Program Levels
We’ve studied and distilled what works for our top-performing programs. We already share many of these best practices during onboarding, regular program reviews, and documentation.
HackerOne Program Levels maximizes the benefits of these best practices. Adopting them is an important step in an organization’s journey toward program maturity and provides a public, transparent signal to hackers of what to expect from programs at each level. Any program can volunteer to opt in and start its journey to Program Level 1 by contacting your assigned CSM.
Programs that meet all requirements earn a Program Level badge displayed on their program card and policy page. The HackerOne Opportunities page has a new filter to allow hackers to see only qualified programs when searching for new hacking opportunities.
Improving the Hacker and Program Experience
Program Levels will improve the experience for both hackers and programs on the HackerOne platform. First, levels promote one of our most important values: transparency. Hackers have more information up-front to make participation decisions and manage their expectations, while programs can signal in advance how they will handle certain reports and situations without adding more language to their program policy. Additionally, as these practices become widely adopted, both hackers and programs will benefit from increased consistency. This standardization lowers hackers’ barriers to entry to all new programs.
Program Levels are a public commitment to running a program according to these best practices, which will help increase hacker trust, especially when engaging with programs for the first time, and help us keep each other accountable. Additionally, these commitments will streamline the Mediation and Triage processes, because Program Levels clearly define how to handle these edge cases. This eliminates the back-and-forth that’s necessary to resolve rare issues.
Finally, Program Levels create friendly competition between programs on the HackerOne platform. Many Organizations are already engaged with the hacker community; through Program Levels, we’re providing a pathway with milestones and rewards toward even greater engagement and, ultimately, security maturity. Over time, Program Levels will be viewed as a mark of an organization’s security sophistication not only by hackers but also by security scorecards, cyber insurance providers, regulatory standards bodies, and the public at large. We firmly believe we all benefit from a race-to-the-top in security.
This is a win-win for organizations and hackers. Organizations will get more reports and therefore be more secure, while hackers will have greater reward opportunities. When programs work better and more consistently, hacker outcomes improve; the reverse is also true since improvement for one group automatically drives improvement for the other.
Getting Started With Program Level 1
Program Level 1 is currently available for all programs to earn. Program Level 2 will soon be trialed with early adopters.
Program Levels are progressive, meaning a program must achieve the previous level AND fulfill the requirements of the next level to earn the corresponding Program Level badge. HackerOne confirms and monitors the program’s commitment to their Program Level based on various factors, including hacker feedback (e.g., if the program regularly makes reward or other decisions that upset hackers).
- Program Level 1: requires adopting HackerOne’s updated Gold Standard Safe Harbor statement (GSSH), which becomes part of the program policy. HackerOne collaborated with the hacker community and industry partners to create a short, broad, easily-understood safe harbor statement that supports the protection of organizations and hackers engaged in good faith security research aligned with the latest legal and regulatory developments.
Achieving Program Level 1 adds a Level 1 badge to their program card and policy page, and also displays the new stand-alone Safe Harbor section on the program policy page.
- Program Level 2: Level 2 is aimed at rewards in bug bounty programs, and there are currently several required best practices (described in detail on the Program Levels page):
- Reward on Triage
- Full Reward Bypasses
- See Something, Say Something
- Reward for Value
- Minimum Bounty Table
Once a level is awarded, programs are expected to continue to follow the best practices defined for those levels, and programs will be held to their commitment if a Mediation involving a best practice arises. HackerOne will work with any program struggling to maintain the level best practices to help keep things on track, but ultimately, a program can be downgraded if it consistently fails to meet the level standards.
A Flexible Framework for Continuous Improvement
These best practices all share an overarching objective: to correctly identify and fairly reward security-enhancing reports from hackers, thereby encouraging more engagement and creating a virtuous security cycle.
We are excited about the potential for this new Program Levels framework to further enable program maturation, provide more transparency for hackers, and evolve through additional levels and perks (stay tuned!).
If your program wants to begin this process, contact your CSM.