Welcome Edit the Doc Site Product Offerings Program Starting Point Navigation Organization Dropdown Program Types Private vs. Public Programs Parent/Child Programs VDP vs. BBP Using Markdown Industry Best Practices Authenticated Testing Scoping Considerations Traffic Identification Engagements Organization Profile Users Groups General Settings User Management Groups and Permissions Security Page Program Metrics Response Target Indicators Top Hackers Asset Inventory Policy and Scope Good Policies Safe Harbor FAQ Gold Standard Safe Harbor Statement Program Levels Defining Scope Scope Best Practices Asset Types Severity Environmental Score Bounty Tables Importance of Bounty Tables Submit Report Form Report Templates Pausing Report Submissions Response Targets Response Target Metrics Setting Response Targets Invitations Reputation Signal and Impact CVE Requests Submission Signal Requirements Human-Augmented Signal Single Sign-On via SAML JIT Provisioning Domain Verification Google Okta OneLogin FAQs Two-Factor Authentication Invalid OTP Code Sessions Credential Management Asset-Based Credential Management Notifications Response Programs Inbox Inbox Views Report Management Report Actions Report States Report Components Quality Reports Locking Reports Duplicate Reports Duplicate Detection Exporting Reports Response Labels Keyboard Shortcuts Custom Fields Disclosure Limiting Disclosed Information Retesting Vacations HackerOne on Your Program Supported Integrations Integration Variables Webhooks API Tokens Assembla AWS Security Hub Azure DevOps Brinqa Bugzilla Freshdesk GitHub GitLab HackEDU IBM Security QRadar SOAR Jira Jira Setup Jira Migration Guide Jira FAQs Kenna Security Linear MantisBT Microsoft Teams OTRS PagerDuty Phabricator Redmine ServiceNow Slack Splunk Sumo Logic Trac Zendesk Billing Bounties Swag Bonuses Dashboards Program Overview Submissions & Bounty Dashboard Statistics Dashboard Hacker Engagement Hacker Feedback Dashboard Response Efficiency Dashboard Explore Audit Logs Industry Benchmarking Hacktivity Communicating with Hackers Message Hackers Banning Hackers Hacker Email Alias Program Mediation & Code of Conduct Review Requests Hacker Reviews Disclosure Assistance HackerOne Clear Gateway FAQs Pentest Overview FAQs Retesting Pentest Automation Common Responses Triggers Hackbot Email Forwarding Embedded Submission Form Import Vulnerabilities IP Allowlists Multi-Party Coordination Password Best Practices Proof of Compliance Slack Shared Channels Reducing Noise Team Member Eligibility Response Programs
If you elect to start a HackerOne Response program, you'll be taken to the Setup Guide where you can walk through the steps of setting up and successfully launching your program.
There are 3 steps to the guide you must complete:
To set up your Response program:
Edit for the corresponding item to edit your policy, profile, and scope. If you've successfully completed an item, a Completed tag will appear.
(Optional) Click the toggle to be either on or off. Human Augmented Signal Click
Submit for approval to have HackerOne review your program once you've completed all of the items for program setup.
If your program is approved by HackerOne, it will be placed in
Controlled launch where it'll remain private and visible to only a select number of hackers. Within the controlled launch stage, you can invite hackers to your program and manage the reports you receive.
Before publicly launching your program, your program must:
Receive at least 10 reports and have invited 100 hackers
Meet the baseline responsiveness limits
Once you've met the criteria in Controlled Launch, the
Public launch button will appear, and you can publicly self-launch your program whenever you're ready to. When you publicly launch your program, your vulnerability disclosure program will be published on HackerOne's Directory and will be open to other hackers to submit reports.