Welcome to HackerOne Triage! To ensure a smooth and efficient collaboration between hackers and our team, we have established Service Level Agreements (SLAs) that outline the expected response and resolution times for reported vulnerabilities. A timer is built into the platform to help customers see reports that are approaching or have missed the first response SLA so that we can partner effectively.
SLA Targets
We are committed to meeting the Time to First Response Service Level Agreement as part of our Master Services Agreement.
Here are our target response times per offering:
Standard: 48 business hours
Enterprise: 24 business hours
Triage+: 12 hours + weekend support
Time to Triage Collaboration
Time to Triage involves collaboration between the Triage Team and the customer. This may include back-and-forth communication with the hacker or the customer to make the final determination on a report. A report state of NMI (Needs More Info) pauses the timer when waiting for a response from the hacker.
Bounty Award Recommendation
We strongly recommend that customers with bug bounty programs (BBPs) award bounties as soon as they have triaged a report. This not only signals the completion of the hacker's work, but also contributes to making the program more attractive to hackers.
Time to Remediation
Time to Remediation is the duration it takes for the customer to fix a submitted vulnerability. The customer can set internal targets for remediation, categorized by severity, in their engagement settings.
Missed Targets Inbox
To monitor and address any reports that have missed their targets, there is a "Missed Targets" inbox view. This provides visibility into reports that have not met the specified SLA timelines.
By adhering to these SLA guidelines, we aim to create a collaborative and efficient Triage experience that benefits both our customers and the research community. If you have any questions or need further clarification, feel free to reach out to our support team.