Your policy will be read by participating security hackers and should clearly state what you're looking for in your vulnerability disclosure program. In order to help you write a good policy, HackerOne provides a baseline policy on your Security Page to help you get started. We recommend including the following in your policy:
|Disclosure Policy||Provide a basic disclosure agreement for your invited hackers. One easy way is to state that you'll abide by HackerOne's disclosure guidelines .|
|Bounty Program||Define the vulnerability types you care about most and provide information on your reward structure.|
|Exclusions||Create exclusions for the vulnerabilities hackers should ignore.|
|Scope||List the URLs in scope for your program.|
Other best practices to keep in mind are:
- Keep your policy succinct. Longer policies may lose leadership toward the end.
- Set clear expectations with hackers. If your response time or fix time is much longer than recommended, state it in your policy. It's good practice to respond to researchers within 3-5 days and to have complete fixes within 45 days.
- Give responses updating a hacker that you're still reviewing a report. Such actions let hackers know that their work hasn't gone into a black hole.
- Re-evaluate your policy on a recurring basis. Your policy will and should change as your bug bounty program matures.