Welcome Edit the Doc Site Product Offerings Program Starting Point Navigation Organization Dropdown Program Types Private vs. Public Programs Parent/Child Programs VDP vs. BBP Using Markdown Running a Good Program Authenticated Testing Scoping Considerations Traffic Identification Homepage Organization Profile Users Groups General Settings User Management Groups and Permissions Security Page Program Metrics Response Target Indicators Top Hackers Policy and Scope Good Policies Defining Scope Scope Best Practices Asset Types Severity Environmental Score Bounty Tables Importance of Bounty Tables Submit Report Form Report Templates Pausing Report Submissions Response Targets Response Target Metrics Setting Response Targets Invitations Reputation Signal and Impact CVE Requests Submission Signal Requirements Human-Augmented Signal Single Sign-On via SAML JIT Provisioning Domain Verification Google Okta OneLogin FAQs Two-Factor Authentication Invalid OTP Code Sessions Credential Management Asset-Based Credential Management Notifications Response Programs Inbox Inbox Views Report Management Report Actions Report States Report Components Quality Reports Locking Reports Duplicate Reports Duplicate Detection Exporting Reports Response Labels Keyboard Shortcuts Custom Fields Disclosure Limiting Disclosed Information Retesting Vacations Supported Integrations Integration Variables Webhooks API Tokens Assembla AWS Security Hub Azure DevOps Brinqa Bugzilla Freshdesk GitHub GitLab HackEDU IBM Security QRadar SOAR Jira Jira Setup Jira Migration Guide Jira FAQs Kenna Security MantisBT Microsoft Teams OTRS PagerDuty Phabricator Redmine ServiceNow Slack Splunk Sumo Logic Trac Zendesk Billing Bounties Swag Bonuses Dashboards Program Overview Submissions & Bounty Dashboard Statistics Dashboard Hacker Feedback Dashboard Explore Audit Logs Industry Benchmarking Hacktivity Communicating with Hackers Message Hackers Banning Hackers Hacker Email Alias Program Mediation & Code of Conduct Review Requests Hacker Reviews Disclosure Assistance HackerOne Clear Gateway FAQs Pentest Overview FAQs Retesting Pentest Automation Common Responses Triggers Hackbot Email Forwarding Embedded Submission Form Import Vulnerabilities IP Allowlists Multi-Party Coordination Password Best Practices Proof of Compliance Slack Shared Channels Reducing Noise Team Member Eligibility Good Policies
Your policy will be read by participating security hackers and should clearly state what you're looking for in your vulnerability disclosure program. In order to help you write a good policy, HackerOne provides a baseline policy on your Security Page to help you get started. We recommend including the following in your policy:
Provide a basic disclosure agreement for your invited hackers. One easy way is to state that you'll abide by
HackerOne's disclosure guidelines.
Define the vulnerability types you care about most and provide information on your reward structure.
Create exclusions for the vulnerabilities hackers should ignore.
List the URLs in scope for your program.
Some successful security pages you can refer to as examples are:
Twitter, Dropbox, Yahoo.
Other best practices to keep in mind are:
Keep your policy succinct. Longer policies may lose readership toward the end.
Set clear expectations with hackers. If your response time or fix time is much longer than recommended, state it in your policy. It's good practice to respond to researchers within 3-5 days and to have complete fixes within 45 days.
Give responses updating a hacker that you're still reviewing a report. Such actions let hackers know that their work hasn't gone into a black hole.
Re-evaluate your policy on a recurring basis. Your policy will and should change as your bug bounty program matures.