Private vs Public Programs
Programs on HackerOne can elect to either be a public or a private program.
Private programs are programs that are not published to the public. This means that hackers can only see these programs when they receive specific invitations to hack on them. Reports also remain confidential as a private program. All programs begin as private, and are free to remain private for as long as they want. We understand that opening access to the public is an explicit step and not for everyone.
We recommend that you start out as private because it prevents you from getting bombarded with report submissions from the many hackers within the HackerOne community. As private programs limit the number of hackers invited to the program, report submissions are limited, enabling your program to get the hang of receiving and triaging vulnerability reports. As your private program becomes more proficient in handling reports, you can choose to go public if desired.
When programs become public, they open themselves up to report submissions from the entire hacker community. This means that all hackers on HackerOne are given rights to hack your program. Moving into a public program prematurely can be an overwhelming experience given the large influx of new report submissions and new hackers participating. Report volumes can spike up to 5x-10x, which highlights the importance of ensuring that your security team is prepared before launching publicly.
Taking your bug bounty program public is completely optional. If your goal is to open up your program to the public, then some recommended success criteria to meet first are:
- You've invited more than 100 hackers
- You've received 10 vulnerability reports
- Your program meets HackerOne's response standards
When your program is ready to go public, contact your Program Manager to do so. If you're a Response program and in Controlled Launch mode, you can publicly launch your own program once you meet all of the success criteria.