Overview
The Return on Mitigation dashboard helps you demonstrate the financial value of your HackerOne program by quantifying the estimated risk mitigated through remediation efforts and comparing it to the actual program investment. With easy-to-understand visuals and exportable summaries, you can show leadership teams how your offensive security investments deliver measurable impact.
To learn more about the features and functionality available on all dashboards, see the Dashboards documentation.
To find the Return on Mitigation dashboard, click Analytics in the left navigation, then click Return on Mitigation.
Summary
The Summary section at the top of the Return on Mitigation dashboard provides a high-level snapshot of your program’s performance. It highlights four key metrics to help you quickly understand your program's financial value.
Your RoM - A high-level multiplier indicating the value protected for every dollar spent, simplifying the demonstration of your HackerOne program’s ROI. A 3x RoM means $3 in mitigated losses for every $1 spent, a compelling message for execs and boards.
Estimated Mitigated Losses - The dollar value of risk your program has mitigated by addressing exploitable vulnerabilities, compared year-on-year. This quantifies your impact, justifying budgets, showing security ROI, and aligning with finance and leadership expectations.
Worst-Case Mitigated Losses - A conservative estimate of maximum losses mitigated if vulnerabilities were exploited in worst-case scenarios. Provides stakeholders a deeper view of potential impact and strengthens your narrative with a fuller risk range.
Amount Spent - Total investment in your program, including platform fees and rewards for the selected period. This provides context for your spending, allowing direct comparison to risk mitigated and enhancing budgeting and investment discussions.
Amount Invested vs. Estimated Mitigated Losses
Shows the amount invested vs. your estimated mitigated losses, benchmarked against all HackerOne customers (the median of all HackerOne customer RoM results). On this chart, you can:
Explore - This enables you to take a deep dive into your data to see what areas you need to focus on to improve your program.
Show the data in table format - switch between the graph and table views.
More—Export the data from the chart and view it in full-screen mode.
Top Weaknesses By Total Mitigated Losses
Shows the Top CWE weaknesses seen by total estimated mitigated losses across all relevant reports to your program during a selected time period. On this chart, you can:
Explore - This enables you to take a deep dive into your data to see what areas you need to focus on to improve your program.
Show the data in table format - switch between the graph and table views.
More—Export the data from the chart and view it in full-screen mode.
Highest Impact Reports
The Highest impact reports show an impact summary of the top three reports to your program based on estimated mitigated losses. You can select to visit the report or ask Hai for additional insights.
Breakdown of Estimated Mitigated Losses
The breakdown of estimated losses provides an overview of how the RoM calculation has identified your losses, either based on defaults or on your tailored inputs provided in the RoM setup across the CIA triad of:
Confidentiality - Assesses how vulnerable data is to unauthorised access due to existing weaknesses. When confidentiality is breached, sensitive information risks exposure to unauthorised individuals.
Integrity - Assesses the reliability and accuracy of data and evaluates the likelihood of data manipulation or modification by a malicious actor. A breach of integrity could result in important data being altered, added, or removed, which might lead to the storage or presentation of inaccurate information.
Availability - Assesses how a vulnerability affects the system's or its data's accessibility, particularly during events like system crashes or DDOS attacks. A loss of availability implies that users might not be able to access the system or its services when required.
Where:
Average SLE - The Average Single Loss Expectancy is the estimated monetary loss when a threat event occurs.
Average ARO - Average Annual Occurrence Rate is he average number of times in a given year that an individual vulnerability is expected to be exploited.
Average mitigated losses avoided/vuln - The average US dollar value of mitigated losses avoided per vulnerability.
Total mitigated losses avoided - The total US dollar value of all mitigated losses avoided against all vulnerabilities within the timeframe.
Breakdown of Amount Invested
The breakdown of the amount invested displays your total HackerOne investment divided into your HackerOne platform fee, including subscription fees and other applicable services like Triage and Security Advisory Services (SAS), etc. aggregated over the selected time frame, alongside the Hacker rewards, including retests that have been paid out during this period. This does not include remediation costs outside of the platform.
How to Tailor Your Return On Mitigation Calculation
While the Return on Mitigation calculation utilises your report and payment information as well as default values to calculate your Return on Mitigation, Org Admin Users can update the Industry (NAICS Industry), Revenue size, SLE (Single Loss Expectancy), and ARO (Annual Occurrence Rate) defaults via the Return on Mitigation set up. This can be completed at the :
Organizational level
Asset level
Grouped asset level - using our custom asset tags, to set up and view RoM results at a grouped asset level, for example, by business unit, asset type, etc.
Tailor Your RoM Calculation At the Organizational Level
To update the RoM calculation defaults, an Org Admin User can click on the settings icon on the RoM dashboard. This will take you to the Return On Mitigation settings screen below:
You can update your industry and revenue size using the dropdown menus, which will refresh the SLE (Single Loss Expectancy) baseline for each incident type, which is based on IBM’s Cost of a Breach report. The SLE represents the estimated monetary loss if a threat event happens.
You can further personalise the SLE values, which can be set against each of the CIA Triad incident types, setting values for both high and low impact incidents using the value sliders, see definitions for the CIA Triad.
Additionally, you can personalise the ARO (Annual Occurrence Rate) values for each element of the CIA Triad using the dropdown options. See definitions for ARO.
Because an incident can impact more than one component (e.g., a High-Confidentiality and High-Integrity impact incident), when personalising ARO values, count a given incident toward all of the components where it has an impact.
If you wish to return to the default SLE and ARO values, select Reset defaults.
Once you have made all of the required changes, click Save. You can then navigate to the Return On Mitigation dashboard by clicking Go back to dashboard button at the top right of the page to view the updated dashboard.
Tailor Your RoM Calculation At Asset/Grouped Asset Level
To update the RoM calculation defaults, an Org Admin User can click on the settings icon on the RoM dashboard. This will take you to the Return On Mitigation settings screen. At the bottom of the setup screen, you can Add customization to set RoM setup values at the asset or grouped asset level:
Next, you can select the assets you wish to include in the customisation group from your Asset Inventory or CVE Discovery. You can use the search and filter functions to help identify assets that you wish to select to include in the customization group. The filter options allow you to filter by:
Engagement
Asset
Report Severity
Imported
Weakness
Custom Inbox
Once you have selected all desired assets for the customization group, click Next.
You can update your industry and revenue size using the dropdown menus, which will refresh the SLE (Single Loss Expectancy) baseline for each incident type, which is based on IBM’s Cost of a Breach report. The SLE represents the estimated monetary loss if a threat event happens.
You can further personalise the SLE values, which can be set against each of the CIA Triad incident types, setting values for both high and low impact incidents using the value sliders, see definitions for the CIA Triad.
Additionally, you can personalise the ARO (Annual Occurrence Rate) values for each element of the CIA Triad using the dropdown options. See definitions for ARO.
If you wish to return to the default SLE and ARO values, select Reset defaults.
Add the name of your asset customization; this must be a unique name.
Once you have made all of the required changes, select Save. You can then navigate to the Return On Mitigation dashboard by clicking the Go to dashboard button at the top right of the page to view the updated dashboard.
At the bottom of the settings page, you can add more asset customization groups and edit or delete existing ones.
Using Hai for RoM
While the dashboard delivers the metrics, Hai can help bring them to life.
This guide explains how to calculate and apply RoM within against specific reports, severity-based based and schedule RoM reporting on the platform using Hai Plays, which automates security workflows and provides data-driven insights to demonstrate the value of mitigation efforts.
Hai can interpret RoM results in plain language, answer questions like “Which vulnerabilities drove the most avoided loss this quarter?”, and automate scheduled RoM summaries so executives and program leaders always have up-to-date, exportable insights– weekly, monthly, or quarterly.
Frequently Asked Questions
How is my RoM calculated?
At a high level, RoM is calculated using the following calculation:
Mitigated losses/year - Amount invested
RoM = __________________________________________
Amount Invested
Where:
Estimated mitigated losses/year = SLE * ARO * vulnerabilities found
Amount invested = Platform fees + Cost of rewards
With the following calculation definitions:
Estimated mitigated losses/year = cost to the organization if vulnerabilities remain unmediated for the next year
Single loss expectancy (SLE) = The estimated monetary loss when a threat event occurs. The baseline comes from IBM’s Cost of a Breach report. You can modify this value by updating your industry and adjusting the percentage of the baseline SLE for each incident type. SLE values update yearly with the latest industry data. When they do, we'll automatically adjust your selections using the same position on the slider, so your choices stay consistent.
Annual rate of occurrence (ARO) = Annual rate of occurrence (ARO) = The rate at which you expect to experience a threat event. The baseline comes from the Verizon Data Breach Investigations (DBIR) Report, and is scaled to the CVSS score or CVE score, where it has been provided, of the individual vulnerability report and HackerOne industry benchmarks. You can override this value by updating your revenue size and changing the ARO for each incident type.
Platform fees = Includes HackerOne subscription fees and other applicable services like Triage, Security Advisory Services (SAS), etc. Each subscription fee is adjusted to reflect the portion of time covered by your selected date range and is allocated evenly across the date range.
Hacker rewards = Includes valid, paid, non-duplicate submissions. Based on actual payments made (not reports submitted) within the date range.
Confidentiality = Measures the risk of unauthorized access to sensitive data due to a vulnerability. If compromised, data may be exposed to unauthorized parties.
High impact = The attacker gains full access to the system, including highly sensitive data like encryption keys.
Low impact = The attacker has limited access to information and cannot control the information they can access.
Integrity = Measures the risk of data being tampered with, altered, or deleted by an attacker, potentially leading to inaccurate or untrustworthy information.
High impact = The attacker can modify all data on the system, resulting in a total loss of integrity.
Low impact = A limited amount of data may be altered, but the system experiences no significant impact.
Availability = Measures how a vulnerability affects access to systems or data, such as through crashes or DDoS attacks. A loss of availability means users may be unable to access services when needed.
High impact = The system or data becomes completely unavailable to authorized users.
Low impact = Access may be intermittently limited or system performance degraded.
Do I need to input data to get RoM?
If you are a direct customer of HackerOne, no, the dashboard works out of the box with default assumptions. However, we recommend tailoring the setup for more accurate results.
If you have purchased HackerOne’s services via one of our Partners, yes - an Org Admin User can click on the settings icon on the RoM dashboard. This will take you to the Return On Mitigation settings screen, where you will need to at least set the two Platform fees fields and press save towards the bottom of the page so that the Return on Mitigation dashboard will populate. However, we recommend tailoring the remainder of the setup values for more accurate results.
Can I use RoM for compliance reporting?
Yes — especially the exportable PDF reports and worst-case mitigation estimates.
The RoM Set Up settings icon is not active for me. Why is it not active?
Only Org Admin users can complete the RoM Set Up, and the settings icon will only be active for them.
What are ‘good’ RoM results?
There’s no single “good” RoM score that applies to every organization. Return on Mitigation (RoM) should be interpreted in the context of your specific environment, security maturity, and program goals.
High RoM often indicates that your HackerOne program is helping uncover impactful vulnerabilities that may not be caught by internal processes, especially in earlier stages of program maturity.
As your organization matures and strengthens internal processes (e.g. secure development practices, early-stage testing), the RoM multiplier may decrease. This can be a positive sign, showing that fewer issues are reaching production and that you're shifting risk mitigation earlier in the lifecycle.
For example, RoM could be interpreted against program maturity:
Early maturity programs may see a higher RoM, which suggests external researchers are identifying high-impact gaps not yet caught internally.
Mid-maturity programs may see a balanced RoM, which suggests internal teams and external testers are complementary.
Advanced maturity programs may see a higher internal RoM and lower BBP/VDP/Pentest RoM, which suggests vulnerabilities are increasingly identified earlier in the SDLC, before they reach production.
Tips for using RoM effectively:
Track RoM over time to understand how your program is evolving.
Explore RoM by asset, report, or weakness type to uncover where you’re seeing the most value or where improvements are needed.
Adjust inputs like ARO and SLE to better reflect your environment and risk model.
Collaborate internally with stakeholders like your CISO, finance team, or compliance leads to align on RoM inputs.
Our RoM results seem low. What should I take from this?
That’s an insight in itself. It might reflect limited scope or underused features. Use this as a starting point to explore how the program can deliver more value.
Our RoM results are negative. What should I do?
A negative RoM indicates that, based on current scope and program activity, the potential mitigated losses are lower than the investment made. While this may seem unfavorable, it’s a valuable insight:
It may point to limited scope, underutilized asset coverage, or low hacker engagement
It creates an opportunity to optimize: expanding program reach, adjusting severity focus, or improving signal-to-noise ratio
It also highlights the importance of tailoring assumptions; SLE, ARO, and asset criticality, for a more realistic model
Instead of defending the number, use it as a starting point for a strategic discussion: "What would RoM look like with broader coverage? Are we focusing efforts in the right places to maximize risk reduction?"
Our RoM results don’t reflect our full security picture?
That’s correct; RoM only reflects risk avoided through HackerOne programs. It complements, not replaces, broader security KPIs. But it’s often the clearest bridge between technical output and financial value.