Bonuses can be used to recognize hackers for positive actions beyond finding valid vulnerabilities. Bonuses creates more ways for hackers to earn rewards on HackerOne, and for security teams to offer more flexible incentives without increasing the market rate for bounties.
The main distinction between a Bounty and a Bonus:
Bounty amounts are used to determine how important a report is, and the reporter will be given an adjusted amount of reputation based on that.
Bonuses are used purely for cases when you are awarding for issues not related to bug severity.
Following are some of the use cases where Bonus can be used effectively to reward researchers.
High Quality Report Bonus
Did you receive a report from a hacker that was exceptionally useful? Reward a bonus in addition to the bounty, to show them that they went above and beyond the call of duty. Teams can also publicly disclose these reports to show other hackers the kind of report that can earn a bonus.
Specific Request Bonus
Did a hacker help you verify that an issue was resolved appropriately, or format the report according to your instructions? Awarding a bonus is a great way to positively reinforce the kind of behavior you find most helpful from hackers.
The bonus feature makes it easy for teams to run a promotion during a specific time frame, or add extra incentives for issues found within a desired product or feature. Use bonuses to offer additional incentives to focus hackers on the scope you care about most.