All Collections
Triage Services
Validation Goals & Service Level Agreements
Validation Goals & Service Level Agreements

Organizations: learn about H1 Triage Validation Goals & Service Level Agreements

Updated over a week ago

Welcome to HackerOne Triage! To ensure a smooth and efficient collaboration between hackers and our team, we have established Service Level Agreements (SLAs) that outline the expected response and resolution times for reported vulnerabilities. A timer is built into the platform to help customers see reports that are approaching or have missed the first response SLA so that we can partner effectively.

SLA Targets

We are committed to meeting the Time to First Response Service Level Agreement as part of our Master Services Agreement. The additional measures are performance targets for various stages of the bug bounty process:

Platform-Wide Guidance



Time to First Response

1 day

5 days

Time to Triage

2 days

14 days

Time to Bounty

2 days

14 days

Time to Resolution

30 days

Depends on report severity

Time to Triage Collaboration

  • Time to Triage involves collaboration between the Triage Team and the customer. This may include back-and-forth communication with the hacker or the customer to make the final determination on a report. A report state of NMI (Needs More Info) pauses the timer when waiting for a response from the hacker.

Bounty Award Recommendation

  • We strongly recommend that customers with Bug Bounty Programs (BBPs) award bounties as soon as they have triaged a report. This not only signals the completion of the hacker's work, but also contributes to making the program more attractive to hackers.

Time to Remediation

  • Time to Remediation is the duration it takes for the customer to fix a submitted vulnerability. Internal targets for remediation, categorized by severity, can be set by the customer in their Program Settings.

Missed Targets Inbox

To monitor and address any reports that have missed their targets, there is a "Missed Targets" inbox view. This provides visibility into reports that have not met the specified SLA timelines.

By adhering to these SLA guidelines, we aim to create a collaborative and efficient Triage experience that benefits both our customers and the research community. If you have any questions or need further clarification, feel free to reach out to our support team.

Did this answer your question?