Private Invitation Strategy: Signal, Domains, and Why You Got Skipped

Cybersecurity

Private invites are where the real bounty money lives. Learn what filters programs use, why your strong stats sometimes get skipped, and how to position yourself for the invites that match your skills.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 11, 2023 · 8 min read

Private invites are not random

Every private invite is the result of a filter on hunter attributes, run by the platform on behalf of the program. If you know the filters, you can move yourself into the invite pool. If you do not, you wait and wonder.

The common invite filters

• Signal threshold, usually above six on HackerOne, above seventy percent on Bugcrowd.
• Recent activity, often at least three resolved reports in the past ninety days.
• Severity profile, programs needing critical finders filter on Impact above three.
• Industry experience, finding bugs on similar tech stacks counts heavily.
• Geography, some programs only invite hunters in specific regions due to compliance.

Domain experience matters more than total reputation

A program running a payments platform wants hunters who have found bugs on payment systems, not generalists with high reputation. Your invite chances rise dramatically when your past work matches the program's stack.

1. Tag your reports with the relevant CWE and technology where the platform supports it.
2. Keep your platform profile updated with technology specializations.
3. Submit a few well written reports on similar public programs before the private launches.
4. Engage with content, blogs, talks, in the niche, programs do watch this.

Why you got skipped

Recovering from a code of conduct flag

If you have been warned for tone, aggressive disputes, or scope violations, expect a six to twelve month invite slowdown. Recovery means clean reports, calm interactions, and time. There is no shortcut, the platforms track this internally and program managers see it.

Asking for invites

• Some platforms allow you to request access to private programs you qualify for.
• A polite, specific request citing relevant experience can move you into the pool.
• Mass requesting every program will get you ignored or flagged as low quality.
• If a program manager you have worked with moves to a new company, reach out directly.

The private program lifecycle

1. First wave, small handful of trusted hunters, often by direct invite from the program.
2. Second wave, broader filter based invite, where most hunters enter.
3. Public launch, if the program graduates, where the bounty pool gets crowded.
4. Steady state, where private invites continue for new hunters meeting filters.

Private invites are platforms saying we trust you with quiet scope. Earn that, do not demand it.

What private programs reward

Private programs reward consistency, low noise, and high impact more than raw volume. A hunter who submits five Highs and zero Informatives in a quarter is more valuable to a private program than a hunter who submits twenty reports with mixed quality.

Long term invite strategy

• Pick two or three industries to specialize in, and build domain depth.
• Maintain at least one resolved report per month to stay in active filters.
• Disclose resolved reports where allowed, building visible track record.
• Build relationships with program managers, who often recommend hunters across programs.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.