HackerOne tracks and enables you to define targets for these four response efficiency metrics:
Response Efficiency Metric | Details |
Time to first response | The elapsed time from when the report is submitted, to the first public activity on a report. The first public activity includes adding a public comment, changing the report state, or changing the report severity. |
Time to triage | The elapsed time from when a report is submitted to when a report is changed to a triaged state. A report can skip the triaged state and move directly to a closed state (e.g. resolved). |
Time to bounty | (Bounty programs only) The elapsed time from when a report is triaged to when a bounty is paid. Only reports eligible for a bounty will be tracked as part of this metric. The time to bounty timer will run until the report is either marked as ineligible or closed in a state where it’s not normal to award a bounty (e.g. spam). |
Time to close | The elapsed time from when a report is submitted to when a report is closed. These five closed report states will stop the timer: resolved, informative, not applicable, duplicate, and spam. |
All response target times are tracked and reported in business days. Business days are defined to be:
Monday - Friday
24 hours
Including holidays (hackers never sleep!)
Response Standards and Targets
Some response target definitions to keep in mind when configuring your program's response targets are:
Term | Detail |
Response Standard | The maximum acceptable response times as defined by HackerOne. These standards only apply to time to first response and time to triage. HackerOne may temporarily pause new report submissions for programs with reports that don't meet the response standards. When these programs address the reports violating the response standards, report submissions will automatically resume. |
Target | Goal response times set by an individual program. Performance against targets is displayed internally in the Inbox and Program Health dashboard. Program targets can't be set to exceed the response standards. |
Recommended | The default setting for all new programs and HackerOne's suggested setting for best practice. |
Healthy Response Target Times
HackerOne recommends your program to follow the following response target times to ensure a healthy program:
Response Efficiency Metric | Recommended | Response Standard | Target |
Time to first response | 1 day | 5 days | Customized |
Time to triage | 2 days | 10 days | Customized |
Time to bounty | 1 day (after triage) | N/A | Customized |
Time to close | 30 days | N/A | Customized |
Note: All times above are in business days
Pausing Timers
HackerOne will automatically pause these timers when you're waiting on a response from a hacker so that your team isn’t disadvantaged during the wait period. When you change the report state to Needs more info, the timer will pause while waiting for a hacker's response. The timer will start again when a hacker replies and comments on the report.
FAQs
Question | Answer |
Which actions trigger a first response? | First response is triggered by any public action on a report, such as, adding a comment (publicly), changing the report state, or changing the severity. Automated actions from Hackbot or an automated trigger are not recognized, except for automated responses using API tokens. Only actions or comments from a member of the team will count as a first response. |
How are the report timers affected if a report is closed and then reopened? | The timers are not affected as we don’t account for reopened reports. Once a report is closed, its response efficiency metrics won’t change. |