Triage backlogs grow quickly. Prioritization tells your team where to look first. Each valid report is assigned a priority of Critical, High, Medium, or Low so higher-impact, more exploitable findings rise to the top of the queue.
Prioritization is part of Agentic Validation. After a report is confirmed as valid, the agent evaluates urgency based on vulnerability characteristics, exploitability, sensitive data risk, attack chains, and your organization’s custom rules. Reports closed during validation as duplicate, informative, not applicable, or spam are not assigned a priority, keeping your team focused on findings that matter.
Priority Levels
Priority | Meaning |
Critical | Demands immediate attention. Combines high exploitability with significant business or data impact, or matches a custom rule your organization has marked as critical. |
High | Should be reviewed promptly. Significant exploitability or impact, but does not meet the bar for Critical. |
Medium | Standard triage queue. Real risk, but lower urgency than Critical or High. |
Low | Minimal urgency. Valid issues with limited exploitability, narrow impact, or that fit normal cycles. |
What Prioritization Evaluates
The agent performs a comprehensive analysis across multiple dimensions to decide priority:
Dimension | What It Assesses |
Sensitive Data Exposure | Could this vulnerability expose personal, customer, or regulated data? |
Vulnerability Type | What kind of vulnerability is this? (RCE, SQL injection, IDOR, XSS, etc.) |
Exploitation Complexity | How easily could an attacker exploit this? |
Attack Chains | Could this combine with other open vulnerabilities to increase impact? |
Custom Business Rules | Does your organization have specific prioritization rules? |
Historical Context | Are there related reports on the same asset? |
The analysis distinguishes proven impact from theoretical risk. A researcher demonstrating unauthorized access to another user's data is treated as higher risk than a researcher testing only with their own account.
Priority vs. Severity
Severity (the CVSS rating on the report) is a useful input to prioritization, but it is not the answer on its own. Severity describes the technical impact if a vulnerability were exploited under standard assumptions. It doesn't account for how exploitable the issue actually is in your environment, what the affected asset is worth to your business, or your organization's specific risk tolerances.
Priority combines severity with those missing dimensions to produce an actionable verdict on urgency. As a result, severity and priority can differ on the same report without contradicting each other:
Example | Severity | Priority | Why |
Critical-severity SSRF on a staging system | Critical | Medium | Severe in theory, but the asset has limited business impact, and exploitation requires a non-trivial setup. |
Medium-severity IDOR on the production payments API | Medium | Critical | Modest CVSS, but the asset is a crown jewel, and the issue is trivially exploitable. |
In practice:
Severity: How bad is this kind of bug?
Priority: How urgently should we deal with this report?
Where Priority Appears
Once a report is prioritized, the priority is visible in three places:
Report header — A priority badge appears next to the report title alongside Status, Asset, and CVSS, so it's the first thing your team sees.
Outcome panel — In the Outcome and next steps box on the report, the assigned priority is shown alongside the date it was set.
Expanded priority panel — Expand the priority row in the outcome panel to see:
The short reason the agent assigned this priority (e.g., "Reflected XSS in PDF preview parameter, requires user interaction, session-level impact.")
Update priority — change the priority manually if you disagree with the agent's assessment.
Manage context — open the custom-instructions configuration for your organization (see below).
For the complete agent reasoning, including every dimension considered and supporting evidence, click View agent log at the bottom of the outcome panel. The log is the source of truth for how priority was reached and is useful for sharing rationale with stakeholders.
Adjusting Priority
If the agent's assessment doesn't match your team's judgement, click Update priority in the expanded priority panel and select a new value. The change is recorded on the report timeline.
Configuring Custom Instructions
You can configure organization-specific rules that customize how the Prioritization Agent evaluates reports for your program.
To configure custom instructions:
Navigate to Organization Settings > Hai
Find the Prioritization Agent section
Enter your custom instructions in the text field
Save your changes
What you can customize:
Vulnerability type priorities (e.g., "RCE in production environments should always be high priority")
Asset-specific rules (e.g., "Reports affecting the payments API should be high priority")
Business context (e.g., "During compliance audits, be more cautious about flagging PII-related issues")
Business-context (e.g., “hackerone.com is a crown jewel asset”
Exclusion rules (e.g., "Internal pentest reports should not be flagged as high priority")
Setting Up Escalation Notifications
In addition to seeing priority recommendations in the platform, you can configure automated notifications to alert your team through external channels when high-priority reports are identified.
These notifications are sent immediately when the agent flags a report as high priority—your team doesn't need to be in the platform to be alerted.
Prerequisites
To set up escalation notifications, your organization must have one of the following product editions:
Platform Enterprise
Enterprise
Pentest Premium hours
Creating an Automation
Navigate to Organization Settings > Automations
Click New automation
Search for the Early Warning template
Select your preferred integration and follow the configuration steps below
Slack
HackerOne supports two types of Slack webhooks: incoming webhooks and workflow trigger webhooks.
Incoming Webhooks (URL contains /services/):
Follow Slack's documentation to create an Incoming Webhook
Copy the webhook URL
Paste it into the HackerOne automation configuration
Save the automation
Workflow Trigger Webhooks (URL contains /triggers/):
Create a Slack Workflow with a webhook trigger
Copy the trigger URL
Paste it into the HackerOne automation configuration
Save the automation
Enter the recipient email addresses, separated by commas
Save the automation
Microsoft Teams
In Power Automate, create an Instant or Automated cloud flow
Add the trigger When an HTTP request is received
Add an action: Post message in a chat or channel
Configure the Teams channel where you want notifications
Save the flow and copy the generated callback URL
Paste the URL into the HackerOne automation configuration
Save the automation
PagerDuty
In PagerDuty, create a new service or use an existing one
Add an integration with the type Events API V2
Copy the Integration Key
In HackerOne, navigate to Organization Settings > Automations > Secrets
Add a new secret variable named pagerduty_integration_key with your Integration Key
Return to the automation configuration and save
General Webhook
Enter your webhook URL
Save the automation
API Access
Prioritization Agent data is available through the HackerOne API for teams that want to integrate recommendations into their own workflows or tooling. See the API documentation for details on available fields and queries.