HackerOne Strategy: Reputation, Signal, Impact, and Program Selection

Cybersecurity

HackerOne ranks you by Signal, Impact, and Reputation, and programs invite you accordingly. Learn how each score is built, what tanks it, and how to pick programs that compound your numbers instead of burning them.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 29, 2023 · 9 min read

Three numbers run your career

On HackerOne, Reputation is the headline number, but Signal and Impact decide whether you get private invites. Reputation rewards activity, Signal punishes noise, and Impact rewards severity. You need all three moving in the right direction.

Signal is calculated as the average reputation per report you submit. One N/A or Spam closure pulls it down faster than five Mediums pull it up. That asymmetry shapes everything else.

How Signal actually works

• Resolved valid report adds positive reputation, lifting Signal slowly.
• Informative closure adds zero, which dilutes Signal toward zero.
• N/A or Spam removes reputation, which drags Signal down hard.
• Self-closed reports do not damage Signal, so withdraw before triage lands.

Impact, and why Mediums hurt elite tiers

Impact is the average severity of your resolved reports. Submitting many Lows on a generous program builds Reputation but lowers Impact. For top private invites you want Impact above five, which usually means filtering yourself to High and Critical findings only.

Program selection math

• New programs, less than ninety days old, have lower duplicate rates.
• Programs with response efficiency above ninety percent pay faster and close cleaner.
• Wide scope, like wildcards on root domains, rewards recon and discovery hunters.
• Narrow scope, like a single SaaS app, rewards deep behavior and logic hunters.
• Avoid programs with Average Bounty under their Critical floor, the math is broken.

When to skip a program entirely

If the program has a response time over ten days, a resolved rate under sixty percent, and a hacktivity feed full of disclosed Informatives, the triagers are overwhelmed and your Signal is at risk. Move on.

Building Reputation without burning Signal

1. Start on Bug Bounty programs that accept Lows, not VDPs that close everything Informative.
2. Submit only after running the seven-question gate on your own report.
3. Chain findings before submitting, because one chain beats three separate Lows on Impact.
4. Re-test after fix, because Retest reputation is free if you already found the bug.
5. Disclose resolved reports on hacktivity, which earns small reputation and visibility.

Private invite triggers

Most private invites are filtered on Signal above seven, Impact above three, and at least ten resolved reports in the past ninety days. Some programs also filter on geography, on prior reports in the same industry, and on whether you have ever had a code of conduct flag.

Reputation gets you noticed. Signal and Impact get you invited.

Recovering a tanked Signal

• Stop submitting on programs where you have recently been marked Informative.
• Move to a generous program and submit only validated High findings.
• Every resolved report pulls Signal up by a small amount, so volume of quality matters.
• Avoid submitting anything you are not ready to defend through a back and forth.

What the numbers do not show

Triagers remember hunters by handle. A polite, accurate hunter gets the benefit of the doubt on borderline reports. A combative hunter gets every borderline call decided against them. Reputation is also social.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.