HackerOne provides a baseline policy in your Security Page to help you get started. Your policy will be read by participating security hackers and should clearly state what you are looking for in your vulnerability disclosure program. We recommend including the following in your policy:
- Disclosure Policy: Provide a basic disclosure agreement for your invited hackers. One easy way is to state that you will abide by HackerOne’s disclosure guidelines.
- Bounty Program: Define the vulnerability types you care about most. Provide information on reward structure
- Exclusions: Create exclusions for the vulnerabilities hackers should ignore.
- Scope: List the URLs in scope for your program
Other best practices to keep in mind:
- Keep your overall policy succinct, as longer policies may lose readership towards the end.
- Set clear expectations with hackers, so if your response time or fix time is much longer than recommended, please state it. A good practice is to respond to researchers within 3-5 days, and complete fixes within 45 days.
- Even a response that you are still reviewing a report is appreciated by the hacker. It lets them know their work has not gone into a black hole.
- Re-evaluate your policy on a recurring basis. Your policy will and should change as your bug bounty program matures.