Skip to main content

Submission Requirements

Organizations: Set specific requirements for hackers to submit reports

Updated this week

The Submission Requirements page enables you to set specific requirements for hackers to submit reports to your program. You can:

Go to the Engagements page and click Go to program on the card for the engagement you want to edit. Then click Hacker Management > Submission.

Requiring Two-Factor Authentication

To require hackers to have two-factor authentication enabled before submitting reports to your program:

  1. Go to the Engagements page and click Go to program on the card for the engagement you want to edit. Then click Hacker Management > Submission.

  2. Scroll down to the 2FA and Collaboration section.

  3. Click the toggle so that it's set to Yes.

For Public Programs

Hackers who submitted past reports before 2FA was required can still access and comment on those reports. However, they won't be able to submit any new reports to your program without enabling 2FA.

For Private Programs

Hackers are required to have 2FA enabled to participate and submit reports to a private program. Once you turn this feature on for a private program, all hackers without 2FA will be removed from the program and immediately sent an invitation back to the program. Those hackers and future hackers won't be able to accept the invitation until they have 2FA enabled.

Enabling Collaboration

Collaboration enables hackers to split the bounty with other hackers who helped collaborate on a report. This allows each hacker to be rewarded for their findings on the report.

To enable Collaboration for your program:

  1. Go to Hacker management > Submission.

  2. Click the toggle to set it to Yes for Enable Collaboration.

Private programs have two options for collaboration: they can either enable collaboration only with members of their program or allow members to collaborate with hackers outside the program.

Severity Calculation Methods

You can select how you would like hackers to determine the severity of the vulnerability they're reporting.

To set your supported severity calculation methods:

  1. Go to the Engagements page and click Go to program on the card for the engagement you want to edit.

  2. Click Hacker Management > Submission.

  3. Select one or more from these options:

Option

Details

CVSS 3.1

Researchers can pick the CVSS 3.1 severity calculator when assigning severities to reports reported to your program. This calculator uses the official CVSS 3.1 standard.

CVSS 3.0 HackerOne

Researchers can pick the CVSS 3.0 severity calculator when assigning severities to reports reported to your program. This calculator implements HackerOne’s custom CVSS 3.0 implementation.

CVSS 4.0

Researchers can pick the CVSS 4.0 severity calculator when assigning severities to reports reported to your program. This calculator uses the official CVSS 4.0 standard.

Manual selection

Researchers can manually pick severities. If you want to use a calculation method other than CVSS, outline it in your policy and let hackers select the severity manually.

In some cases, you may see that someone can assign severity types that you no longer support to specific reports. This is intended behavior. When our platform checks what severity calculation methods are supported for a report, it also checks for any severities that have been applied to that report in the past or were available when the report was first created.

You can also make submitting severities mandatory by checking the Make selecting a severity mandatory when submitting a report checkbox.

Did this answer your question?