Today, we are happy to announce that our HackerOne bug bounty program is now public. Since we opened our private bounty program in December 2017, we have been preparing to take this program public by working through some of the challenges of managing a bug bounty program. We have awarded over $200,000 in bounties since the bug bounty program went live last year. This means we mitigated nearly 200 vulnerabilities reported to us.
Our first response time to newly submitted findings has decreased significantly, from an average of 48+ hours to just seven. That is a significant reduction achieved through security automation, and will help us scale, as well as better engage the hacker community.
On average, our mean time to mitigation (MTTR) for critical security issues is currently fewer than 30 days. Our current goal is to now focus on bringing the MTTR metric for medium-high security issues to under 60 days, on average.
Yesterday, we released a webinar to announce our plans to be a public bug bounty program. In managing a public bug bounty program, we will now be able to reward our hacker community for reporting security vulnerabilities to us directly through the program.
The past year has been a great journey of learning about managing such a program, and we have plans to further expand upon our public program in 2019 and beyond. We would also like to acknowledge some of our top contributors from the hacker community, including ngalog, jobert, and fransrosen.
Check out the program to see how you can contribute!