You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/programs/bounties.md
+30-7Lines changed: 30 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -4,9 +4,29 @@ path: "/programs/bounties.html"
4
4
id: "programs/bounties"
5
5
---
6
6
7
+
<style>
8
+
.contents {
9
+
margin-left: 1.45rem;
10
+
margin-right: 1.45rem;
11
+
border-radius: 0.3em;
12
+
width: 60%;
13
+
}
14
+
</style>
15
+
7
16
A bounty is money you reward to hackers for reported and resolved bugs. They're used to attract the best hackers and to keep them incentivized to hack your programs. You can use bounties to encourage hackers to focus on particular assets by altering the reward amount for different vulnerability types. You shouldn't feel obligated to award a bounty for every incoming report as it's best to only reward for useful, valid reports.
8
17
9
-
### Awarding Bounties on Reports
18
+
<divclass="background contents"markdown="1">
19
+
20
+
In this article, you can learn about: |
21
+
---------------------------------- |
22
+
[Awarding Bounties on Reports](#awarding) |
23
+
[Suggesting Bounties](#suggesting) |
24
+
[Best Practices](#best) |
25
+
[Bounties for Reports Received Outside of HackerOne](#bounties) |
26
+
</div>
27
+
28
+
<h3id="awarding">Awarding Bounties on Reports</h3>
29
+
10
30
You can award a bounty through any report submitted to HackerOne. Some teams prefer to award a bounty once the issue has been confirmed as valid, while others wait until the issue is resolved.
11
31
12
32
To award a bounty:
@@ -19,7 +39,8 @@ To award a bounty:
19
39
20
40
Bounty amounts can be increased at any point by setting another award on the report, but keep in mind that bounties can't be removed once awarded.
21
41
22
-
### Suggesting Bounties
42
+
<h3id="suggesting">Suggesting Bounties</h3>
43
+
23
44
If you're unsure of how much to award the hacker, you can communicate a suggested amount with your internal team. To suggest an amount:
24
45
1. Go to your inbox and open the report you'd like to award a bounty for.
25
46
2. Expand the action picker at the bottom of the report above the comment box.
@@ -32,14 +53,16 @@ If you're unsure of how much to award the hacker, you can communicate a suggeste
32
53
6. <i>(Optional)</i> Enter your reason of why you suggest that bounty amount.
33
54
6. Click **Suggest award**.
34
55
35
-
### Best Practices
36
-
* Provide bounties for useful, valid reports
37
-
* Award a bounty for a significant found vulnerability that is out of scope
38
-
* Clearly communicate to hackers your reasons for awarding or declining a bounty
56
+
<h3id="best">Best Practices</h3>
57
+
58
+
Here are some best practices to follow when awarding bounties:
59
+
* Provide bounties for useful, valid reports.
60
+
* Award a bounty for a significant found vulnerability that is out of scope.
61
+
* Clearly communicate to hackers your reasons for awarding or declining a bounty.
39
62
40
63
><i>Note: Professional, Enterprise, and Fully Managed programs have access to a HackerOne representative who can provide insight and consult them through the bounty awarding process.</i>
41
64
42
-
### Bounties for Reports Received Outside of HackerOne
65
+
<h3id="bounties">Bounties for Reports Received Outside of HackerOne</h3>
43
66
44
67
When hackers submit vulnerabilities to your organization outside of HackerOne, you can leverage the HackerOne API to award hackers for their efforts. To start paying hackers, generate an API token on your Program settings page. Keep in mind that this API endpoint is not for awarding bounties for reports on HackerOne itself, but only for reports that were reported outside of HackerOne.
0 commit comments