You can award bonuses to recognize hackers for positive actions beyond finding valid vulnerabilities. Bonuses enable hackers to have more ways to earn rewards on HackerOne and for security teams to offer more flexible incentives without increasing the market rate for bounties.
Difference Between a Bounty and a Bonus
Bounty amounts are used to determine how important a report is. The hacker will be given an adjusted amount of reputation based on the bounty amount.
Bonuses are used purely for cases when you're awarding for issues not related to bug severity.
Use Cases of Awarding a Bonus
Did you receive an exceptionally useful report from a hacker? In addition to the bounty, reward a bonus, to show the hacker that they went above and beyond the call of duty. Programs can publicly disclose these reports to show other hackers the kind of report that can earn a bonus.
Did a hacker help you verify that an issue was resolved appropriately? Did the hacker format the report according to your instructions? Awarding a bonus is a great way to positively reinforce the kind of behavior you find most helpful from hackers.
The bonus feature makes it easy for programs to run a promotion during a specific time frame or to add extra incentives for issues found within a desired product or feature. Use bonuses to offer additional incentives to focus hackers on the scope you care most about.