Program Metrics are for security teams what Reputation is for hackers. With program metrics, hackers can now see a participating security team’s bounty averages and response times up front on the right side of the program’s Security@ page. Any reports filed by a security team's members will not be reflected in the metrics.
Response Efficiency Metrics
Response efficiency is calculated based on the last 3 months of activity. Hackers will now be able to see a team’s average first response time, average time to resolution and average time to bounty. By seeing these metrics prior to submitting to a program, hackers are not left wondering, "Is it too soon to follow up?".
Bounty metrics are calculated over a program’s lifetime and are designed to set realistic expectations with hackers and security teams.
Total bounties paid can be a strong indicator that a bounty program is active and healthy. Similarly, the mean and median bounty serve as rough guidance for how much a hacker can expect in return for a valid report. For instance, if a hacker knowingly submits a critical bug to a program that where mean bounty is listed at $50, they will likely not expect $10,000 based on the program metrics.
How to turn on Program Metrics on Security@ page
New companies who have joined HackerOne have these metrics auto-enabled. For existing customers, you can turn on and off at Settings > Display Options. Toggling "Response Efficiency" option shows/hide the three metrics related to response efficiency. The same applies for "Bounty Statistics" option. The metrics can be shown/hidden only in group and cannot be toggled individually. Please let us know if you have any feedback at email@example.com.