Your policy will be read by participating security hackers and should clearly state what you're looking for in your vulnerability disclosure program. In order to help you write a good policy, HackerOne provides a baseline policy on your Security Page to help you get started. We recommend including the following in your policy:
Section | Details |
Disclosure Policy | Provide a basic disclosure agreement for your invited hackers. One easy way is to state that you'll abide by HackerOne's disclosure guidelines. |
Bounty Program | Define the vulnerability types you care about most and provide information on your reward structure. |
Exclusions | Create exclusions for the vulnerabilities hackers should ignore. |
Scope | List the assets in scope for your program. |
Other best practices to keep in mind are:
Keep your policy succinct. Longer policies may lose readership toward the end.
Set clear expectations with hackers. If your response time or fix time is much longer than recommended, state it in your policy. It's good practice to respond to researchers within 3-5 days and to have complete fixes within 45 days.
Give responses updating a hacker that you're still reviewing a report. Such actions let hackers know that their work hasn't gone into a black hole.
Re-evaluate your policy on a recurring basis. Your policy will and should change as your bug bounty program matures.