Your Security Page contains key information about your company and your security disclosure policy. It sets expectations for hackers you invite to your bounty program, outlines your disclosure policy, bug eligibility, and policy for in-scope eligibility. It is important to keep your Security Page up-to-date so researchers always know the important details about your program. Check out Yahoo!, Twitter, Dropbox and Square Security Pages for reference.
Your Security Page will also display your company activity timeline, which is auto-populated when you resolve a report or reward a bounty, letting hackers know what’s happening on your program.
Best practices to maximize program success:
- State you abide by HackerOne’s Disclosure Guidelines for your Disclosure Rules, which provides basic disclosure agreement for your invited hackers.
- Be specific with your Policy, state specific URLs, web, and mobile properties.
- Explicitly outline vulnerabilities classes that hackers should focus on, or ignore, in your Bug Eligibility section.
- Re-evaluate your policy often as your bounty program matures.