Help Center

What are Program Metrics?

Program Metrics are for security teams what Reputation is for hackers. With program metrics, hackers can now see a participating security team’s bounty averages and response times up front on the right side of the program’s Security@ page. Any reports filed by a security team's members will not be reflected in the metrics.

Response Efficiency Metrics

Response efficiency is calculated based on the last 3 months of activity. Hackers will now be able to see a team’s average first response time, average time to resolution and average time to bounty. By seeing these metrics prior to submitting to a program, hackers are not left wondering, "Is it too soon to follow up?".

Bounty Metrics

Bounty metrics are calculated over a program’s lifetime and are designed to set realistic expectations with hackers and security teams.

Total bounties paid can be a strong indicator that a bounty program is active and healthy. Similarly, the mean and median bounty serve as rough guidance for how much a hacker can expect in return for a valid report. For instance, if a hacker knowingly submits a critical bug to a program that where mean bounty is listed at $50, they will likely not expect $10,000 based on the program metrics.

How to turn on Program Metrics on Security@ page

New companies who have joined HackerOne have these metrics auto-enabled. For existing customers, you can turn on and off at Settings > Display Options. Toggling "Response Efficiency" option shows/hide the three metrics related to response efficiency. The same applies for "Bounty Statistics" option. The metrics can be shown/hidden only in group and cannot be toggled individually. Please let us know if you have any feedback at

Have more questions? Submit a request
Powered by Zendesk