Measuring the financial impact of security efforts can be challenging. Traditional metrics often fail to translate into clear business value, making budget justification and investment prioritization difficult.

Return on Mitigation (RoM) provides a solution by calculating the cost savings from fixing vulnerabilities before they can be exploited. This guide explains how to calculate and apply RoM within the platform using Hai Plays, which automates security workflows and provides data-driven insights to demonstrate the value of mitigation efforts.

Once a report receives a bounty, a RoM banner will appear at the top of the report. Clicking the banner launches Hai to generate an immediate RoM calculation, giving you a clear, data-backed view of the financial impact of fixing the vulnerability. This helps quantify cost savings, justify budgets, and demonstrate the value of mitigation efforts in real time.

Quickly measure cost savings on high-impact vulnerabilities with the Return on Mitigation (RoM) Calculator automation template. This feature automatically calculates RoM for high and critical severity reports, making it easy to track financial impact by posting results as internal comments or storing them in custom fields for seamless reporting and decision-making. This automation automatically runs when a report gets resolved and will post the calculation as an internal comment on the report.

Go to Organization settings > Automations > Template library. Select the Return on Mitigation (RoM) Calculator Template.

Stay informed on your program’s value with the scheduled Return on Mitigation (RoM) reporting automation template. This feature automatically calculates RoM based on a specified time period (7 or 30 days) and delivers the results via email (recipients should be members of the HackerOne organization), ensuring you always have up-to-date insights to track cost savings and demonstrate impact.

Go to Organization settings > Automations > Template library. Use the Return on Mitigation (RoM) Recap template for a summary of all reports awarded a bounty in a given period of time.

Customize the recap schedule and loop in key stakeholders so RoM insights stay top of mind, helping you track the financial impact of security investments and make data-driven decisions.