You determine which submissions to your Security@ deserve bounties, as well as how much to award. To attract the best hackers, and keep them incentivized, we recommend paying for "resolved" reports that are within scope. In some cases, paying for a significant vulnerability that is out of scope is also a good practice. We recommend that you clearly communicate your reasoning to hackers; they are spending valuable time looking for vulnerabilities on your program's behalf. Always keep your communications professional, as if they were public. Many variables go into deciding the right bounty price for your program.
Important factors to consider:
- Severity of vulnerability
- Breadth of impact on end users or customers
- Flexibility of your program budget
- Program stage, private or public
- Maturity of your vulnerability disclosure program
At a minimum, a good practice is to price bounties at no less than $100. For anything less, it's better to award swag instead of bounties. To attract higher Reputation hackers, raising your minimum bounty is recommended. HackerOne recommends starting with a range of $100-$1,000 depending on severity and importance to your program. The importance of each category of vulnerabilities varies from program to program, which is why we don’t prescribe a minimum bounty for various types of vulnerabilities. For example, a clickjacking vulnerability could be critical to one program, but only “informative” for another.
As a best practice, we recommend starting with the $100 to $1,000 range to prioritize and address your low-hanging fruit. Then, as you gather data on the vulnerabilities you receive, you can opt to tweak your reward structure to incentivize and disincentivize certain types of reports.