As your comfort level grows in the Private phase, you should first expand your program and invite more hackers--up to 100.
What about Hacker engagement?
As long as you place a priority around maintaining strong first response time (2 days recommended) and time to bounty (upon validation or within 7-14 days recommended), typically the researchers who are already engaged in your program will remain engaged after a public launch.
For current customers who have an active Private program on Hackerone - Once you feel your Security team is ready to open up your program to all of the hackers on HackerOne, be sure to consult with your Customer Success Manager.
Moving into a public program prematurely can be an overwhelming experience given the large influx of new report submissions and new hackers participating. When programs become public, they open themselves up to submissions from the entire hacker community.
We’ve seen report volumes spike up to 5X-10X, which highlights the importance of ensuring that your Security team is prepared before launching publicly.
Here’s a checklist to see if your program is ready to go public:
- Invited more than 200 hackers
- No significant report backlog -- all open bugs are fixed
- Workflow established for handling reports efficiently
Having issues with one or more of the above? Reach out to email@example.com to discuss.
Here's a few use case stories to set the foundation:
- Uber: https://medium.com/uber-security-privacy/uber-bug-bounty-year-one-e0464bcfddd7
- Yelp: https://www.hackerone.com/blog/Celebrating-Alongside-Yelp-100-Day-Milestone