Skip to main content
Invitations

Organizations: How to invite hackers to your program

Updated over 2 weeks ago

Hackers must receive invitations to hack on private programs. Hackers can receive invitations if they meet the following criteria:

  • Established reputation

  • Non-negative signal

  • Clear record with zero Code of Conduct violations

HackerOne manages your invitations by:

  • Daily checking to see if your program has met your report volume target in the last 30 days

  • Inviting hackers for your program if you’re not reaching your report volume target

How Invitations Work

The number of invitations HackerOne sends is based on your report volume on a rolling 30-day basis. These are the use cases as to how HackerOne sends invitations:

Case

Action

You're far from meeting your report volume.

HackerOne will continue sending invitations so you can meet your report volume.

You're receiving more reports while still being under your report volume.

HackerOne will send out fewer invitations.

Your report volume is met.

Invitations will pause until the volume drops below the target in the 30-day window.

Your report volume is set to 0.

No invitations will be sent.

Note: HackerOne will prevent you from being overwhelmed with reports.

Technically

Our invitation system relies on an internal hacker invitation algorithm that runs periodically. It will find the right hackers based on your needs at the right time.

It will take into account a few optional parameters to be configured with your assigned Customer Success Manager (CSM):

  • Success goals

  • Signal requirements

  • Identity verification and background-check requirements

  • Reputation requirements

  • Country restrictions

The algorithm sifts through millions of hackers, identifying those who meet your criteria and have proven their value with at least one valid report or more than 25 CTF points.

The algorithm calculates the likelihood of a hacker finding vulnerabilities in your program and optimizes invitations accordingly. Some attributes include:

  • Scope

  • Program launch date

  • Reward amounts

  • Hacker submission history

  • Hacker experience

  • Hacker preferences

Setting Invitations

To set your invitations:

  1. Go to Engagements > Settings > Program > Invitations.

    invitations page
  2. Enter the number of reports you’d like to receive every 30 days in the Report volume field. HackerOne recommends starting with a target of receiving five valid reports every 30 days.

    • The report volume is measured by the amount of valid reports submitted in the past 30 days. Valid reports include reports you have marked as Triaged or Resolved. Reports left in New or marked as any other state won't count toward this goal. Learn more about report states.

  3. Click Save.

Manually Inviting Hackers

Note: Manual invitations are only applicable for Bug Bounty Programs.

If you need to issue your own invitations to particular hackers as an exception:

  1. Go to Engagements > Settings > Program > Invitations.

  2. Select how you want to invite the hacker by clicking the button next to Manually invite a hacker by email or username.

  3. This will open a pop-up window where you can enter the email address or username of the hacker you want to invite. You will also be required to enter an invitation message as well as a context option explaining the invitation reason.

HackerOne doesn’t recommend inviting unknown hackers. If a hacker has reached out to request an invitation to your private program, contact HackerOne as this is a clear violation of Disclosure Guidelines.

Managing Invitations

You can keep track of your invitations and which hackers have been invited to your program.

  • The Invited Hackers section lists all of the hackers that have accepted invitations. To remove a hacker, go to a report the hacker has submitted and select the Ban reporter action to the right of the comment field.

  • In the Pending Invitations section, you can cancel pending invitations.

Invitation CSV download

Did this answer your question?