What Are Campaigns?
Campaigns are time-bound promotions where the submitters would get a higher bounty than usual for a valid report.
How Do I Access Campaigns?
It is also possible to navigate directly to:
https://hackerone.com/organizations/<organization_handle>/campaigns
When navigating to Campaigns, the user will land in the Campaigns Manager.
What Is In the Campaigns Manager?
If you have not created one before, you will be invited to create your first campaign:
If campaigns have already been created, you will be presented with an overview of all past (inactive), running (active), and scheduled campaigns for the program. The overview gives the most important details of each campaign and has an edit button. You can only edit scheduled campaigns, so active and inactive campaigns have a grayed-out button.
How Can I Create a Campaign?
Important: You must be a program manager with admin permissions to create a campaign. While creating a campaign, you can only pick the programs for which you are a program manager.
If you have created a campaign before, use the Create campaign button to get started. If not, use the Create your first campaign button.
On the next page, select the program to run the campaign on and a category for the campaign objective. A description per category is provided on-screen.
After selecting a category, you can pick a specific objective from the list. We currently offer the following objectives:
Welcome new hackers: Use this objective to reward hackers submitting their first valid report to your program.
Re-engage researchers: Target hackers who were active in your program but haven't submitted reports in the last six months.
Recognize your top 20 hackers: Retain hackers that consistently submit high-impact reports.
Engagement boost: Run experiments to find the best bounty offer for your audience using this objective. Often used when the cause of engagement is unknown.
Test your updated assets: Quickly identify new security risks after pushing updates to your assets.
Most of the details for the campaign can be configured on the next screen:
Select the asset(s) you want to run the campaign on. Selecting All Scopes will run a campaign on all assets eligible for bounty. You can also filter assets by type to make the selection easier.
If the program uses bounty tables, select a bounty table row you'd like to use as the base for bounties. These values will be used as the base amounts to show the increased bounty amounts to the hackers. If the program doesn't have a bounty table, this section will show no options.
Select the bounty multipliers. The resulting bounty amounts will be presented on the right of the multiplier selection. * We also show a recommendation informing you whether the current offer is competitive or if you should consider raising the bounties. This score is calculated based on critical and high values.
A score of 90% or higher is considered competitive. The hackers selected as the audience, the programs these hackers submitted reports to, and how high the bounties were that these hackers received for valid reports are all considered to determine the competitiveness score.
Select the start- and end date of the campaign. We allow you to schedule a campaign three days in advance.
Verify all details for the campaign in the summary on the right.
On the next screen, preview the campaign and fill in any information that might be relevant to the hackers you are targeting. On the right, we provide some tips on how to write good instructions. Once filled and reviewed, click the Finish and schedule campaign button to finish creating the campaign. You will be forwarded to the overview page. The scheduled campaign should be visible there.
Consider the following recommendations for writing a good description for your campaign:
Focus the description on your why. Are you testing a new asset? Interested in certain CWEs? Have a new feature?
Keep your description to no more than 2-3 sentences.
Are you running a campaign in relation to a holiday or milestone? Share that here to help raise hacker enthusiasm.
No need to include info about date range, multiplier, or list your assets as these will be displayed in the campaign section that the hackers will see on the policy page.
How Do I Edit a Campaign?
To edit a campaign, click on the pencil icon for the campaign you want to edit in the overview.
It is not possible to edit any live or past campaigns. Editing the details of a scheduled campaign uses the same steps as creating a new campaign. Note: the objective of the campaign can not be changed.
What Happens After Scheduling a Campaign?
Nothing happens right after you schedule a campaign. The campaign will simply remain scheduled until we reach the start date. Campaigns are launched at 01:00 UTC on the start date.
What Happens When the Campaign Launches?
We update the status in the Campaign Manager
When we reach the start date, the state will be updated from Scheduled to Active. The same will be reflected in the overview in the Campaign Manager:
We send emails
All the program managers will get an email saying a new campaign has been launched for the program.
If the campaign targets a specific audience (e.g. hackers with a certain reputation), all hackers within that audience will receive an email stating a campaign has been launched.
If no specific audience is targeted and the program is private, all the hackers that are part of the program (whitelisted hackers) will be notified via email.
We make it visible to hackers
Hackers will see the campaign on the policy page. If the campaign is running on only a few assets, we'll show those asset identifiers here under the Assets Eligible section:
Hackers will see the campaign on the Opportunity Discovery page:
If a program doesn't have a bounty table, we'll only show the multipliers on the opportunity discovery page:
We allow hackers to filter programs that have an active campaign via the Opportunities Search page:
We follow up with hackers
We send another email to whitelisted hackers when there are five days left in the campaign.
Are There Any Changes When Submitting Reports?
Yes! We show the campaign information on the report submission page.
We highlight the reports that are eligible for a campaign in the inbox. This is visible to the submitter, triage, and team members:
We show the campaign information when the bounty is being awarded:
Anything Else?
We don't have budgeting controls. If you want to stop a campaign once the bounties reach a certain amount, this must be done manually. To take down the campaign banner, reach out to your customer success manager.
If you have budgeting constraints, some reports might not receive the increased bounty amounts. Please be transparent about this with hackers up front if you are expecting a large number of reports. You can use the Researchers Information field for such communication.