Welcome to HackerOne Triage! To ensure a smooth and efficient collaboration between hackers and our team, we have established Service Level Agreements (SLAs) that outline the expected response and resolution times for reported vulnerabilities. A timer is built into the platform to help customers see reports that are approaching or have missed the first response SLA so that we can partner effectively.
SLA Targets
We are committed to meeting the Time to First Response Service Level Agreement as part of our Master Services Agreement. The additional measures are performance targets for various stages of the bug bounty process:
Platform-Wide Guidance | Target | Maximum |
Time to First Response | 1 day | 5 days |
Time to Triage | 2 days | 14 days |
Time to Bounty | 2 days | 14 days |
Time to Resolution | 30 days | Depends on report severity |
Time to Triage Collaboration
Time to Triage involves collaboration between the Triage Team and the customer. This may include back-and-forth communication with the hacker or the customer to make the final determination on a report. A report state of NMI (Needs More Info) pauses the timer when waiting for a response from the hacker.
Bounty Award Recommendation
We strongly recommend that customers with Bug Bounty Programs (BBPs) award bounties as soon as they have triaged a report. This not only signals the completion of the hacker's work, but also contributes to making the program more attractive to hackers.
Time to Remediation
Time to Remediation is the duration it takes for the customer to fix a submitted vulnerability. Internal targets for remediation, categorized by severity, can be set by the customer in their Program Settings.
Missed Targets Inbox
To monitor and address any reports that have missed their targets, there is a "Missed Targets" inbox view. This provides visibility into reports that have not met the specified SLA timelines.
By adhering to these SLA guidelines, we aim to create a collaborative and efficient Triage experience that benefits both our customers and the research community. If you have any questions or need further clarification, feel free to reach out to our support team.