Skip to main content
Good Policies

Guidelines & starting points

Updated over a year ago

Your policy will be read by participating security hackers and should clearly state what you're looking for in your vulnerability disclosure program. In order to help you write a good policy, HackerOne provides a baseline policy on your Security Page to help you get started. We recommend including the following in your policy:

Section

Details

Disclosure Policy

Provide a basic disclosure agreement for your invited hackers. One easy way is to state that you'll abide by HackerOne's disclosure guidelines.

Bounty Program

Define the vulnerability types you care about most and provide information on your reward structure.

Exclusions

Create exclusions for the vulnerabilities hackers should ignore.

Scope

List the assets in scope for your program.

Some successful security pages you can refer to as examples are Twitter and Yahoo.

Other best practices to keep in mind are:

  • Keep your policy succinct. Longer policies may lose readership toward the end.

  • Set clear expectations with hackers. If your response time or fix time is much longer than recommended, state it in your policy. It's good practice to respond to researchers within 3-5 days and to have complete fixes within 45 days.

  • Give responses updating a hacker that you're still reviewing a report. Such actions let hackers know that their work hasn't gone into a black hole.

  • Re-evaluate your policy on a recurring basis. Your policy will and should change as your bug bounty program matures.

Did this answer your question?