Reputation is based exclusively on your track record as a hacker. A Hacker Profile starts with 100 reputation, because we believe in the benefit of doubt. Reports gain or lose reputation based on how they are closed.
Your reputation changes when a report is:
- Resolved: +7
- Informative: 0
- Not Applicable: -5
- Spam: -10
- Duplicate of a resolved report, submitted prior to report being made public: +2
- Duplicate of a resolved report, submitted after report made public: -5
- Duplicate of a N/A report: -5
Duplicates of your own reports do not influence your reputation. This exclusion is in place to allow companies to close multiple reports that have the same root cause as duplicate, without this affecting a hacker's reputation.
Bounties grant you reputation based on standard deviation from the program’s mean.
- +50: $ >= µ + 1σ
- +25: $ > µ
- +15: $ >= µ - 1σ
- +10: $ < µ - 1σ
There are a number of privileges that are gained by maintaining a high reputation, such as becoming eligible to receive access to Private programs. On the flip side, should your reputation decrease, the system will gradually reduce the number of submissions allowed in a given time period. We believe it is critical to this community that Security teams be afforded a high-signal environment so that they can focus on providing a quality response to hackers who turn in the best vulnerabilities. As a hacker submitting vulnerabilities through the HackerOne platform, your reputation measures how likely your finding is to be immediately relevant and actionable. For more details, check out this blog post.