For first response time to hackers, to be competitive with top customers, you should target a first response (a comment or action) within 12 hours, and within 24 hours to align with the platform's 50th percentile. A first response that takes longer than one week is on the upper limits for response times.
For time to bounty, we generally recommend awarding at time of validation, instead of time of fix, if fix will take over one month. Vulnerabilities with exceptionally long resolution times shouldn't delay a bounty. Work with your internal team to determine the best practice that's comfortable for your team. Keep in mind rewarding quickly for a severe vulnerability can be a reflection of its priority and a signal to the hacker of its importance to you. An initial bounty can be supplemented later if it was more severe than originally thought.
For fix time, we recommend within 30-45 days. If your team generally takes over 2 months to fix reports, it's helpful to manage expectations through stating this information in your Policy.
The best way to stay consistent is by establishing internal SLAs, and transparently communicate with researchers to help manage expectations.
For more information on top performer and platform stats for response efficiency, please visit our blog on Response Efficiency.