What is the Feedback Dashboard?
When hackers see an invitation to your program, they can choose whether to accept it and participate, or reject it. If they reject the invite, they can optionally provide feedback on why they were not interested in your program. Hackers can also provide this feedback when leaving a program they’ve previously accepted an invite to. Learn more about how hackers decline invites and leave programs here.
The Feedback Dashboard shows the total feedback your program has received from hackers, with the reasons they’ve declined to participate in your program. You can view this feedback for your program under Program Dashboard > Feedback.
Why don't I have any data yet?
If you don't see any data in your feedback dashboard, it’s possible that the program is public-facing and does not require invitations to participate, or no hackers have:
Declined invitations to your program
Left your program
Filled out the feedback form
What does the feedback mean? What can I do about it?
On the feedback questionnaire, hackers can select multiple reasons for choosing not to engage with your program. Some feedback is actionable for your program, while some is actionable for us at HackerOne to improve your program or our hacker-matching methods. We show you all the feedback received because we believe in transparency!
Here are the different feedback options hackers may choose and the corresponding improvements we recommend:
Feedback | Action for Programs |
Unresponsive: Program response metrics and targets aren't appealing to me. | The hacker feels you're not providing fast enough responses on reports in terms of first response, triage, bounty, and resolution times. Improving response times should help increase hacker engagement. Learn more about Response Targets. |
Aggressive Policy: Program contains terms and conditions that I'm uncomfortable agreeing to. | Policies that contain many stipulations can discourage hackers from participating. Review restrictions in your policy to determine if any can be loosened to increase hacker engagement. |
Onerous Setup: There's too much effort involved in testing (installation & setup, credential provisioning, VPN, etc). | If your attack surface requires special setup, try to identify anything you can do to make it easier for hackers to begin testing. This can include providing test accounts to hackers or providing additional details on your assets (API documentation, setup guides, etc.). |
Specialization: The scope of the program requires specialized skills that I don't have. | Not applicable. |
Hardened: I have assessed the attack surface to be sufficiently hardened beyond my capabilities. | This feedback indicates that it's difficult to find bugs in your assets (good job!). If your report volume is lower than you’d like, consider taking your program public to increase engagement with the wider hacker community. |
Small Scope: The scope of the program doesn't contain a large enough set of assets. | Consider adding additional assets to your scope, as well as providing additional information in the instructions field of each asset. If hackers don't understand the magnitude of functionality within your existing assets, they may choose this feedback option. |
Uninteresting: I don't find the scope to be technically or intellectually challenging. | Include more information about what each asset does, as well as what sorts of bugs or impact you’d like to see on each asset. |
Competitiveness: The bounty amounts are too low relative to the effort involved. | Increase your default bounty amounts. If you don't have a bounty table, implement one that indicates the minimum bounty you're willing to pay based on the severity of the bug (Low, Medium, High, Critical). |
Clarity: There's not enough information on bounty amounts or eligibility. | If you don't have a bounty table, implement one that indicates the minimum bounty you're willing to pay based on the severity of the bug (Low, Medium, High, Critical). You can also list a range of rewards within each severity, or create a table that cross-sections vulnerability types or severity vs. the type of asset. See https://hackerone.com/valve, https://hackerone.com/twitter, or https://hackerone.com/shopify as examples. |
Backlog: I'm already participating in too many programs. | Not applicable. |
Busy: I don't have time to hack right now. | Not applicable. |
Objection: I don't wish to participate in this program for personal reasons. | Not applicable. |
Questions
Have any questions or need assistance with more specific recommendations on how to act on hacker feedback? Please check in with your primary point of contact from our Program Operations team.
Don't have a point of contact? Contact us for more information on our managed services offerings, including a dedicated Program Manager to assist you with your program.