Skip to main content
All CollectionsGetting Started
Security Page
Security Page

All audiences: A program's security page contains key information about the program

Updated over a week ago

Important Notice: Upcoming Release on July 15

On July 15, 2024, we will introduce significant updates to the Security Page. These changes will standardize and simplify page configuration, introduce a new layout, and add features to enhance the experience for hackers and customers. These updates contain no breaking changes to workflow functionality, integrations, or API behavior.

For detailed information about these updates, please review the documentation below.

The security page provides hackers with comprehensive information needed to engage with a program. It covers policies, scope, testing requirements, rewards, and report handling procedures, helping hackers make informed decisions about their participation and align expectations on potential outcomes.

Customers can manage the page in Program settings under Policy and overview.

Security Page

Introduction

The introduction section lets a program personalize how it connects with the hacker community. This is the first thing a hacker sees, so it's a great spot to showcase the program's team culture, values, and more.

introduction section

Program Highlights

This section shows important program features at a glance. Some of the highlights are defined by the program managers, while others appear dynamically when certain criteria, such as Top Response Efficiency, are met.

Program highlights

Scope

The program strategy for handling submissions. This is always visible under Program Highlights.

  • Closed Scope: The program only accepts submissions on assets listed in its scope. This is the default value for all programs.

  • Open Scope: The program accepts and rewards submissions for owned assets even if not listed in their scope.

    • Top-tier programs that are further along in their security journey enable this option to elevate their security posture. It shows they have a “Pay-for-value” approach, rewarding any report that prompts action, whether the asset is in scope or not. For out-of-scope assets, the reward will match the impact-based rewards defined for similar in-scope impacts.

    • Special considerations:

      • Hackers, please exercise care. A program cannot authorize testing on an asset that they do not host themselves.

      • In the event of a disagreement, HackerOne Mediation will determine a fair outcome.

      • HackerOne may require you to disable this declaration if it is not being upheld.

Fast Payment

  • The program is committed to paying within one month of submission.

  • Enable this option to show hackers that you’re committed to paying rewards within a month of the report. To do this, you’ll need efficient processes to quickly assess and triage the report's impact. You don’t need to resolve the report before awarding.

    • Special considerations:

      • If a report is delayed due to waiting for a hacker's response, the timeline extends accordingly.

      • If you’re going to miss the 1-month deadline, proactively update the report with the reason and a new estimated payment time.

      • HackerOne may require you to disable this option if you don’t meet the commitment.

Gold Standard

  • The program follows Gold Standard Safe Harbor rules. You can learn more about Gold Standard Safe Harbor (GSSH) here.

Platform Standards

  • The program complies with all of HackerOne’s detailed platform standards with no deviations. Learn more below.

Top Response Efficiency

  • Programs with a response efficiency of over 90% are awarded a badge to highlight their achievement.

  • This achievement-based badge only appears when a program meets the criteria.

Rewards

A bounty table shows how much a program is willing to pay for various bugs they receive. It breaks down the average bounty paid by severity for specific assets to give hackers an idea of what bounty they can earn.

Rewards/bounty table

Deviations (if applicable)

  • Detailed Program Standards

    • The platform standards serve as direction for customers to help provide consistency, fairness, and, above all, the best results possible for all participants on the platform.

    • No deviations: A badge will appear in the Program Highlights section. This is the default setting.

    • With deviations: The program indicates which items do not apply to the program. A block appears listing the specific deviations.

    • Learn more about Detailed Program Standards here.

Platform Standards deviations

  • Exemplary Standards

    • These are additional optional standards that programs can opt into. If a program chooses to adopt the exemplary standards, a dedicated block listing them will appear on the page.

Exemplary standards

Scope Exclusions

This text field allows customers to freely define scope exclusions, including specific vulnerabilities, assets, or other items they wish to exclude, in addition to HackerOne's Core Ineligible Findings. Reports on these exclusions will not be rewarded.

Scope exclusions

Program Overview

This is a long-form description of the program so hackers can learn more about it. One of the best ways to utilize this is by putting a “Must read” section with bulleted information, followed by “Hints & Tips” (see example below).

overview section example

Top Hackers

The security page can list the top 12 hackers (ranked by reputation) that disclosed vulnerabilities to the program. Learn more about top hackers here.

Top hackers

Sidebar

The sidebar on the security page also holds important information. The top box shows your program logo, name, and some program details, along with a button to submit reports. Below that are the response efficiency and program statistics. Use the kebab menu in the top right corner to edit the page, add to your favorites list, or subscribe to the program. Hackers will also see an option to submit feedback.

Related Articles
Industry Best Practices
Directory
Program Levels
Bounties
Glossary
Did this answer your question?