Skip to main content
Security Page

All audiences: A program's security page contains key information about the program

Updated this week

The security page provides hackers with comprehensive information needed to engage with a program. It covers guidelines, scope, testing requirements, rewards, and report handling procedures, helping hackers make informed decisions about their participation and align expectations on potential outcomes.

Manage this page by going to your engagement security page and then opening Customizations. From there, you can choose which section you would like to manage.

Introduction

The introduction section lets you personalize how your program connects with the hacker community. This is the first thing a hacker sees, so it's a great spot to showcase the program's team culture, values, and more.

introduction section

Program Highlights

This section shows important program features at a glance. The program managers define some of the highlights, while others appear dynamically when certain criteria, such as Top Response Efficiency, are met.

Scope

The program strategy for handling submissions. This is always visible under Program Highlights.

  • Closed Scope: The program only accepts submissions on assets listed in its scope. This is the default value for all programs.

  • Open Scope: The program accepts and rewards submissions for owned assets even if not listed in their scope.

    • Top-tier programs that are further along in their security journey enable this option to elevate their security posture. It shows they have a “Pay-for-value” approach, rewarding any report that prompts action, whether the asset is in scope or not. For out-of-scope assets, the reward will match the impact-based rewards defined for similar in-scope impacts.

    • Special considerations:

      • Hackers, please exercise care. A program cannot authorize testing on an asset that they do not host themselves.

      • In the event of a disagreement, HackerOne Mediation will determine a fair outcome and bounty.

      • HackerOne may require you to disable this declaration if it is not being upheld.

Fast Payment

  • The program is committed to paying within one month of submission.

  • Enable this option to show hackers that you’re committed to paying rewards within a month of the report. To do this, you’ll need efficient processes to quickly assess and triage the report's impact. You don’t need to resolve the report before awarding.

    • Special considerations:

      • If a report is delayed due to waiting for a hacker's response, the timeline extends accordingly.

      • If you’re going to miss the 1-month deadline, proactively update the report with the reason and a new estimated payment time.

      • HackerOne may require you to disable this option if you don’t meet the commitment.

Gold Standard

  • The program follows Gold Standard Safe Harbor rules. You can learn more about Gold Standard Safe Harbor (GSSH) here.

Platform Standards

  • The program complies with all of HackerOne’s detailed platform standards with no deviations. Learn more below.

Coordinated Vulnerability Disclosure

This shows the level of Coordinated Vulnerability Disclosure compliance your program meets: standard, limited, or undeclared. As security transparency becomes more expected in the industry, companies with the most mature security postures follow Coordinated Vulnerability Disclosure. Also, to meet NIST standards, your program must allow for the disclosure of security issues.

Top Response Efficiency

  • Programs with a response efficiency of over 90% are awarded a badge to highlight their achievement.

  • This achievement-based badge only appears when a program meets the criteria.

Average Response Efficiency Metrics

HackerOne displays a program's average response efficiency metrics on the security page to enable hackers to see how responsive your program is about:

  • giving a first response

  • paying out a bounty

  • resolving a vulnerability

The average times are calculated on a rolling 3-month basis, and you can configure which metrics to display in Program Settings > Customizations > Metrics Display.

Rewards

A bounty table shows how much a program is willing to pay for various bugs they receive. It breaks down the average bounty paid by severity for specific assets to give hackers an idea of what bounty they can earn.

Rewards/bounty table

Deviations (if applicable)

  • Detailed Program Standards

    • The platform standards serve as direction for customers to help provide consistency, fairness, and, above all, the best results possible for all participants on the platform.

    • No deviations: A badge will appear in the Program Highlights section. This is the default setting.

    • With deviations: The program indicates which items do not apply to the program. A block appears listing the specific deviations.

    • Learn more about Detailed Program Standards here.

Platform Standards deviations
  • Exemplary Standards

    • These are additional optional standards that programs can opt into. If a program chooses to adopt the exemplary standards, a dedicated block listing them will appear on the page.

Exemplary standards

Scope Exclusions

This text field allows customers to freely define scope exclusions, including specific vulnerabilities, assets, or other items they wish to exclude, in addition to HackerOne's Core Ineligible Findings. Reports on these exclusions will not be rewarded.

Scope exclusions

Program Overview

This is a long-form description of the program so hackers can learn more about it. One of the best ways to utilize this is by putting a “Must read” section with bulleted information, followed by “Hints & Tips” (see example below).

overview section example

Top Hackers

The security page can list the top 12 hackers (ranked by reputation) that disclosed vulnerabilities to the program. Learn more about top hackers here.

Top hackers

Sidebar

The sidebar on the security page also holds important information. The top box shows your program logo, name, and some program details, along with a button to submit reports. Below that are the response efficiency and program statistics. Use the kebab menu in the top right corner to edit the page, add to your favorites list, or subscribe to the program. Hackers will also see an option to submit feedback.

Did this answer your question?