Your guidelines will be read by participating security hackers and should clearly state what you're looking for in your program. In order to help you write good guidelines, HackerOne provides a baseline on your Security page to help you get started. We recommend including the following in your guidelines:
Section | Details |
Disclosure Policy | Provide a basic disclosure agreement for your invited hackers. One easy way is to state that you'll abide by HackerOne's disclosure guidelines. |
Bounty Program | Define the vulnerability types you care about most and provide information on your reward structure. |
Exclusions | Create exclusions for the vulnerabilities hackers should ignore. |
Scope | List the assets in scope for your program. |
Check out X's Security page for an example of a successful page.
Other best practices to keep in mind are:
Keep your guidelines succinct. Longer guidelines may lose readership toward the end.
Set clear expectations with hackers. If your response time or fix time is much longer than recommended, state it in your guidelines. It's good practice to respond to researchers within 3-5 days and to have complete fixes within 45 days.
Give responses updating a hacker that you're still reviewing a report. Such actions let hackers know that their work hasn't gone into a black hole.
Re-evaluate your guidelines on a recurring basis. Your guidelines will and should change as your bug bounty program matures.