There are various programs on HackerOne that are associated with a larger organization. Such programs are referred to as parent/child programs, where the parent program is the primary account, and any subsequent child is a subordinate program that is linked to the parent.
Child programs are subsidiaries of their parent programs. They are able to function together by:
Sharing a bounty pool
Transferring reports between programs
Reporting to the same cyber security team
Sharing a Bounty Pool
Parent/child programs have the option to share a bounty pool so that the main organization doesn’t need to allocate specific dollar amounts for each program, but rather, they can pull their funds from a master pool. This will prevent programs from being blocked in having to contact HackerOne to manually transfer funds between programs. Programs can opt-in to this feature if they’re using the prepayment method to pay bounties.
When you opt-in to this feature, the parent program is able to keep track of the total amount of funds used from each child program so that they don’t need to access each account separately.
Transferring Reports between Parent/Child Programs
Parent programs can transfer reports to child programs and vice versa. As the report is transferred from one program to another, it appears in the transferred program’s inbox with an activity log about the transfer.
To transfer reports between programs:
Go to your inbox and select the report you want to transfer.
Expand the action picker at the bottom of the report above the comment box.
Select Transfer report.
Select the name of the program you want to transfer the report to. (A list of programs will populate that you can choose from.)
Click Transfer report.
The report will be transferred to the selected program.
If the report is transferred from a public to a private program:
Is the hacker automatically invited to the private program?
No. The program must manually invite the hacker to their program if they want the hacker to actively participate in it. The hacker will still be able to comment on the original report they submitted, but won’t be able to submit any new reports to the child program, unless they’re explicitly invited to it.
Can the hacker see the security page of the private program?
No. The hacker must be a participant of the program in order to see the security page.
Can the hacker see that the report was transferred?
Yes. The transfer will be listed in the activity log of the report.