HackerOne has launched the Hacker Milestone Rewards Program, a new achievement-based system that recognizes researchers for validated vulnerabilities. The program replaces the old reputation-only model, introducing a more inclusive, results-driven approach. In partnership with PortSwigger and PentesterLab, HackerOne now rewards researchers with milestone points, licenses, and exclusive swag.

Researchers earn milestone points based on the severity of valid reports. The first five duplicate reports for a vulnerability are also eligible for points.

HackerOne has partnered with leading security and training organizations to offer practical, skill-building rewards.

This new reward structure acknowledges the breadth of contributions from the hacker community - not just the first to find issues, but all valid submissions. It highlights a shift toward rewarding consistent, quality research and encourages skill growth across all experience levels.

Points Are Not Awarded for VDP Submissions

Points toward the Milestone Rewards Program are earned through bounty programs only including LHEs and Challenges. Submissions made to Vulnerability Disclosure Programs (VDPs) do not count toward your milestone points total.

Filling Out the Weakness ID

Always fill out the weakness_id field on your reports. Points are only allocated when this field is completed. If a report is missing a weakness_id, it will not be counted toward your Milestones points, even if it meets all other requirements. This is one of the most common reasons for point discrepancies, so make sure every submission includes this field before it goes to triage.

Whitelist Milestone Reward Emails

Milestone reward notification emails are sent from HackerOne's Milestone program (milestone@hackerone.com). To ensure you receive these emails, we recommend adding the sender to your allowlist/whitelist. Milestone emails may otherwise be filtered into your spam or junk folder, or automatically deleted depending on your email provider's settings.

A Note on Reward Availability
​
Rewards offered at each Milestones level are subject to change based on availability, inventory, and program updates. HackerOne reserves the right to substitute or adjust rewards at any level as needed. Hackers who have already qualified for a level will not lose their milestone status if a reward changes, but the specific item offered may differ from what was previously offered.

Customs Fees & Import Taxes for Physical Swag

All items are shipped from the United States. Depending on your location, customs fees, duties, or import taxes may apply upon delivery. These charges are the recipient's responsibility and are not reimbursed by HackerOne. Please estimate any potential customs charges before placing your order.

Issues With Shipping or Physical Swag Delivery

If you experience any issues with your shipment - such as delays, missing packages, or damaged items - please reach out directly to the shipping courier using the tracking information provided in your confirmation email. For issues related to the swag item itself, contact SwagPro directly for assistance.

HackerOne offers virtual reward options - including digital gift cards and charitable donations - for Levels 6–10 as an alternative to physical swag. Gift cards are fulfilled via Tango and typically delivered within approximately 24 hours, though virtual rewards like licenses and voucher codes are processed manually and may take longer.
​
A few important things to keep in mind:

To participate, start submitting valid vulnerabilities through your HackerOne profile. Track your progress toward milestones and watch for reward notifications as you climb the levels. For more details, visit HackerOne’s blog announcement.