Skip to main content
Response Target Metrics

Organizations: Define targets for four response efficiency metrics

Updated over 10 months ago

HackerOne tracks and enables you to define targets for these four response efficiency metrics:

Response Efficiency Metric

Details

Time to first response

The elapsed time from when the report is submitted, to the first public activity on a report. The first public activity includes adding a public comment, changing the report state, or changing the report severity.

Time to triage

The elapsed time from when a report is submitted to when a report is changed to a triaged state. A report can skip the triaged state and move directly to a closed state (e.g. resolved).

Time to bounty

(Bounty programs only) The elapsed time from when a report is triaged to when a bounty is paid. Only reports eligible for a bounty will be tracked as part of this metric. The time to bounty timer will run until the report is either marked as ineligible or closed in a state where it’s not normal to award a bounty (e.g. spam).

Awarding swag in lieu of a bounty won't stop the timer. If you only award a report with swag, you must mark the report as ineligible for bounty to stop the timer.

Time to close

The elapsed time from when a report is submitted to when a report is closed. These five closed report states will stop the timer: resolved, informative, not applicable, duplicate, and spam.

All response target times are tracked and reported in business days. Business days are defined to be:

  • Monday - Friday

  • 24 hours

  • Including holidays (hackers never sleep!)

Response Standards and Targets

Some response target definitions to keep in mind when configuring your program's response targets are:

Term

Detail

Response Standard

The maximum acceptable response times as defined by HackerOne. These standards only apply to time to first response and time to triage. HackerOne may temporarily pause new report submissions for programs with reports that don't meet the response standards. When these programs address the reports violating the response standards, report submissions will automatically resume.

Target

Goal response times set by an individual program. Performance against targets is displayed internally in the Inbox and Program Health dashboard. Program targets can't be set to exceed the response standards.

Recommended

The default setting for all new programs and HackerOne's suggested setting for best practice.

Healthy Response Target Times

HackerOne recommends your program to follow the following response target times to ensure a healthy program:

Response Efficiency Metric

Recommended

Response Standard

Target

Time to first response

1 day

5 days

Customized

Time to triage

2 days

10 days

Customized

Time to bounty

1 day (after triage)

N/A

Customized

Time to close

30 days

N/A

Customized
Targets can be broken up and set by severity

Note: All times above are in business days

Pausing Timers

HackerOne will automatically pause these timers when you're waiting on a response from a hacker so that your team isn’t disadvantaged during the wait period. When you change the report state to Needs more info, the timer will pause while waiting for a hacker's response. The timer will start again when a hacker replies and comments on the report.

FAQs

Question

Answer

Which actions trigger a first response?

First response is triggered by any public action on a report, such as, adding a comment (publicly), changing the report state, or changing the severity. Automated actions from Hackbot or an automated trigger are not recognized, except for automated responses using API tokens. Only actions or comments from a member of the team will count as a first response.

How are the report timers affected if a report is closed and then reopened?

The timers are not affected as we don’t account for reopened reports. Once a report is closed, its response efficiency metrics won’t change.

Did this answer your question?