Proof of Compliance

There are several security standards that require organizations to have a vulnerability disclosure policy (VDP) or bug bounty program (BBP) in place. You can generate a proof of compliance report for your program on HackerOne to prove that your organization has a VDP or BBP. The downloadable statement of attestation meets the requirements necessary to comply with various security standards.

These are some of the security standards that can be met with the statement of attestation:

If you’re a federal program that needs to comply with CISA BOD 20-21, you can choose to download the Program performance per asset CSV file and input the data into CyberScope.

To generate your proof of compliance report:

  1. Navigate to Program Settings > Program > Customization > Proof of Compliance.
  2. Select the dates that you would like the report to reflect.
  3. Select the documents you want to include in the report. You can choose from:
Option Details
Statement of attestation A PDF that proves that your program has either a VDP or BBP on HackerOne.
Program performance per asset (Mainly for federal programs) A CSV file that is comprised of metrics on each of your program’s assets. Some of the metrics include: median time to resolution, number of found vulnerabilities, the number of critical vulnerabilities that have been open for longer than 90 days.
  1. Click Download.

You can submit your downloaded report to your compliance officer to meet security standards.