As you submit vulnerability reports through the HackerOne platform, your reputation measures how likely your finding is to be immediately relevant and actionable. Reputation is points gained or lost based on report validity. It's weighted based on the size of the bounty and the criticality of the reported vulnerability. Reputation is based exclusively on your track record as a hacker.
There are a number of privileges that are gained by maintaining a high reputation, such as becoming eligible to receive invitations to private bug bounty programs. On the flip side, should your reputation decrease, the system will gradually reduce the number of report submissions allowed in a given time period.
It's critical to this community that security teams be afforded a high-signal environment so that they can focus on providing a quality response to hackers who submit the best reports.
Effects of Report State on Reputation
A Hacker profile starts with a reputation of 100. Reports gain or lose reputation based on the state in which they are closed. Reputation can't decrease below 0.
Triaged or Resolved
Duplicate of a resolved report submitted prior to the report being made public
The original report was resolved before the duplicate was filed
Self-closed N/A report
Duplicate of a self-closed N/A report
Duplicate of a resolved report submitted after the report is made public
Duplicate of a N/A report
You'll always have access to a detailed log of your reputation history, and reputation will never be necessary to access core functionality on the platform.
Duplicates of your own reports don't influence your reputation. This enables programs to close multiple reports that have the same root cause as duplicates without affecting a hacker's reputation.
Effects of Bounties on Reputation
The bounty amount you receive also impacts your reputation. Different bounty amounts grant you reputation based on the standard deviation from the program's mean bounty amount. Here's the breakdown of how much reputation you can gain depending on your bounty:
Known as BOUNTY_SEVERE.
Known as BOUNTY_HIGH.
Known as BOUNTY_MEDIUM.
Known as BOUNTY_LOW.
Keep in mind that the first 10 bounties of a program will be rewarded the BOUNTY_LOW reputation. After 10 bounties have been paid out, a hacker’s reputation will be recalculated based on the standard deviation of the program’s mean bounty.
Effects of Collaboration on Reputation
Collaborators will receive full reputation for report state changes (e.g. validity of the report). Reference Effects of Report State on Reputation above.
For bounties, collaborators will receive an appropriate reputation based on their share of the bounty. Reference Effects of Bounties on Reputation above.
Effects of Retesting on Reputation
If you participate in retesting a report, you'll receive +2 to your reputation.