HackerOne Program Levels signal best practices that programs should adopt as part of their journey toward program maturity. Opting into these best practices at each level allows a program to request a level-up from HackerOne and to earn additional program-level badges and perks, as described below.
The Program Levels are progressive, meaning a program must achieve the previous level and fulfill the requirements of the next level to earn the corresponding Program Level badge. Existing programs may earn Program Level 1 by adopting the associated best practices and requesting a level-up from their Customer Success Manager (CSM). New programs will eventually default to Level 1 unless they opt out. All programs (existing and new) will be able to earn higher Program Levels (2 and beyond) when their CSM confirms the program’s adoption of and formal commitment to the requisite best practices.
The timeline from request to the next level will vary based on a number of factors, but programs should expect the process to take at least 3 weeks. While any program can request a level up, generally programs must be launched and active for at least 3 months prior to achieving Level 2 and higher.
Once a level is awarded, programs are expected to continue to adhere to the best practices defined for those levels. If a program is struggling to follow the best practices, HackerOne will provide several notices and opportunities to return to the best practices. Ultimately, a program can be downgraded from a level if it consistently fails to meet the level standards and does not respond to HackerOne’s attempts to help it achieve the level standards.
In addition to the Program Level badge displayed on the program card and policy page, hackers are able to filter based on Program Levels in the HackerOne Directory when searching for new programs to participate in.
Program Level 1 is currently available for all programs to earn and programs may now start the level-up process for Program Level 2.
Program Level 1
To earn Program Level 1, programs must adopt:
- Gold Standard Safe Harbor. A short, broad, easily-understood safe harbor statement providing customers and ethical hackers with the best protections aligned with legal and regulatory standards.
Achieving Level 1 also displays the stand-alone Gold Standard Safe Harbor section on the program policy page.
View the text of the Gold Standard Safe Harbor and visit the Safe Harbor FAQ for more information about safe harbor.
Program Level 2
To earn Program Level 2, programs must meet all the requirements of Program Level 1 and opt-in to the following best practices:
- Reward on Triage. The program rewards when a vulnerability has been validated, no later than 30 days after report submission, ensuring that hackers receive predictable and timely rewards for their contributions. By definition, the program must be responsive to dialogue in reports.
- Full Reward Bypasses. The program provides a full reward if a fix to a previously disclosed valid vulnerability is successfully bypassed.
- See Something, Say Something. While the program may choose to target its rewards to certain types of reports/issues as outlined in the program scope and bounty table, the program will not penalize hackers for valid reports on any of its assets (this does not include assets that are not hosted by the program which remain out of scope and not authorized for testing). Valid reports on the program’s own assets, even if not on an asset eligible for reward in the program scope, will never be closed without triage or incur a Reputation penalty. (Note: Any testing still must not be disruptive and should follow applicable guidelines in the program's policy. Issues considered noise, zero-impact, or spam may still be closed as N/A or Spam).
- Reward for Value. If a report leads to direct action by the program to improve its security, such as a change of code, process, prioritization, and/or documentation, it will be rewarded. Example situations include:
- An update to a third-party dependency;
- A change to a configuration, including DNS records; or,
- A report against an ineligible asset (e.g., based on hostname) that impacts eligible assets.
- Bounty Table Minimum. The program's rewards or bounty ranges generally align with (or exceed) the following minimums:
Level 2 best practices help programs provide greater predictability and transparency to hackers up-front by adopting bright-line rules about handling common issues. This leads to less time spent navigating these issues as they arise, allowing triage and mediation teams to resolve issues with more consistency and without time-consuming back-and-forth and escalations.
Disclaimer: HackerOne may update the existing Program Level definitions from time to time, based on industry standards and best practices. We will endeavor to provide at least 30 days prior notice of any such update. Program Levels are awarded or removed at HackerOne’s sole discretion. Particularly for higher levels, HackerOne reserves the right to downgrade a program's level for any reason, including based on performance and feedback.