Help Center

Response Target Metrics

We track and allow you to define targets for these four response efficiency metrics:

  • time to first response
  • time to triage
  • time to bounty (bounty programs only)
  • time to resolution

Timers

Below are details on how each of the response efficiency metrics are calculated:

Response Efficiency Metric

Details

Time to first response

The elapsed time from report creation to the first public activity on a report. The first public activity includes adding a public comment, changing the report state, or changing the report severity.

Time to triage

The elapsed time from when a report is created to when a report is changed to a triaged state. A report can skip the triaged state and move directly to a closed state (e.g. resolved). In this instance, the time to triage will be the elapsed time between report creation and the time the report is resolved.

Time to bounty

The elapsed time from when a report is triaged to when a bounty is paid. Only reports that are eligible for a bounty will be tracked as part of this metric. The time to bounty timer will run until the report is either marked as ineligible or closed as a state where it’s not normal to award a bounty (e.g. spam, N/A, Duplicate, Informative).

Time to resolution

The elapsed time between report triaged and report closed. These  five closed report states will stop the timer: resolved, informative, not applicable, duplicate, and spam. 

 

All the response efficiency metrics are tracked and reported in business days. Business days are defined to be:

  • Monday - Friday
  • 24 hours
  • Including holidays (hackers never sleep!)

Pausing timers

HackerOne will automatically pause these timers so that your team isn’t disadvantaged while waiting on a response from a hacker. When you change the report state to Needs more info, the timer will pause while waiting on a response from a hacker. When a hacker replies and comments on the report the timer will restart.

Response Standards & Targets

Below are some definitions and best practices to keep in mind when configuring your program’s response targets:

Response Standards: The maximum acceptable response times as defined by HackerOne. These standards only apply for time to first response and time to triage. HackerOne may temporarily pause new report submissions for programs with reports that don't meet the response standards. When these programs address the reports violating the response standards, report submissions will automatically resume. 

Target: Goal response times set by an individual program. Performance against targets are displayed internally in the Inbox and Program Health dashboard. Program targets can't be set to exceed the response standards. 

Recommended: The default setting for all new programs and HackerOne's suggested setting for best practice.  

This table defines what a healthy program looks like:

Criteria

Recommended

Response Standards

Target

Time to first response

1 day

5 days

Customized

Time to triage

2 days

10 days

Customized

Time to bounty

1 day 

N/A

Customized

Time to resolution

30 days

N/A

Customized

Targets can be broken up and set by severity by selecting Advanced Settings

Note: All times above are in business days

FAQs

Q: Which actions trigger first response?

A: First response is triggered by any public action on a report, such as, adding a comment (publicly), changing the report state, or changing the severity. Automated actions from Hackbot or an automated trigger are not recognized. Only actions or comments from a member of the team will count as a first response.

 

Q: How are the report timers affected if a report is closed then reopened?

A: The timers are not affected as we don’t account  for reopened reports. Once a report is closed, its’ response efficiency metrics won’t  change.

 

Q: How are the report timers affected if a report is filtered first through human augmented signal (beta)?

A: If a report is routed through human augmented signal (reports flagged with a high noise probability are reviewed by HackerOne analysts before hitting your inbox) the timer is not paused or modified in any way. This means that the time spent in review by HackerOne analysts will be tracked in the timer.

 

Related Resources

Setting Response Targets

Inbox Labels

Pausing Report Submissions

Response Targets on Security Pages

 

 

Have more questions? Submit a request
Powered by Zendesk