Skip to content
Severity Labs

Pricing

Monthly retainer. No per-bug fees.

Tiers are based on report volume and SLA. Pick the one that fits today — we'll re-tier you when your program grows.

Starter

For teams just turning the lights on.

Contact for pricing

Up to 30 reports / month

  • Triage of every inbound report
  • CVSS 3.1 scoring with justification
  • Dev-ready handoff to your tracker
  • 24h SLA (business hours)
  • Monthly summary email
Talk to us
Most picked

Growth

For programs with steady inbound volume.

Contact for pricing

Up to 100 reports / month

  • Everything in Starter
  • 12h SLA, 7 days a week
  • Hunter-facing communication on your behalf
  • Weekly summary + open-issue digest
  • Quarterly program review call
Talk to us

Enterprise

For programs that can't have surprises.

Contact for pricing

Unlimited reports

  • Everything in Growth
  • Custom SLA, including same-day on critical
  • Dedicated triage lead
  • Direct integration into your tracker and SIEM
  • Quarterly executive program review
Talk to us

Compare

Everything, side by side.

Starter

Up to 30 reports / month

Reports per month
Up to 30
Acknowledgement SLA
24h business hours
Validation + repro
Yes
CVSS 3.1 scoring
Yes
Tracker handoff
Jira / Linear / GitHub
Hunter communication
Templated
Summary cadence
Monthly
Program review
Dedicated lead
Retest verification
Add-on

Growth

Up to 100 reports / month

Reports per month
Up to 100
Acknowledgement SLA
12h, 7 days
Validation + repro
Yes
CVSS 3.1 scoring
Yes
Tracker handoff
Jira / Linear / GitHub
Hunter communication
Full, on your behalf
Summary cadence
Weekly
Program review
Quarterly
Dedicated lead
Retest verification
Add-on

Enterprise

Unlimited reports

Reports per month
Unlimited
Acknowledgement SLA
Custom
Validation + repro
Yes
CVSS 3.1 scoring
Yes
Tracker handoff
Custom integration
Hunter communication
Full + escalation paths
Summary cadence
Weekly + executive
Program review
Quarterly + ad-hoc
Dedicated lead
Yes
Retest verification
Included

Where each tier fits

Three programs, three different shapes.

Starter

Series A SaaS — self-hosted program

Pattern

Public security@ inbox, ~15 reports a month, half are scanner noise. AppSec is one engineer who used to do this on Friday afternoons. Wants Friday afternoons back.

Outcome

We take the inbox. Their AppSec engineer reviews our weekly summary, signs off on bounties, and ships fixes. Net time spent on triage drops from ~6 hours/week to ~30 minutes.

Growth

Public fintech — Bugcrowd + private engagements

Pattern

Public program on Bugcrowd plus a small private program directly with vetted hunters. ~70 reports/month combined. Platform triage covers some of it; the team wants independent validation on highs and criticals before they hit the tracker.

Outcome

12-hour SLA on every report regardless of source, dedicated triager, weekly summary the CISO actually reads. Platform triage is no longer the only voice; severity and impact are independently confirmed.

Enterprise

Healthcare platform — multi-platform, regulated

Pattern

Programs on HackerOne and YesWeHack across acquired companies, plus a self-hosted disclosure portal for partners. Compliance pressure means every report is a potential audit finding. ~150 reports/month across surfaces. Need same-day on critical, custom integrations into ServiceNow and the SIEM.

Outcome

Dedicated triage lead, same-day critical SLA, two-channel escalation (Slack + PagerDuty), quarterly executive review with the compliance team. Audits cite the program as a control rather than a risk.

Pricing FAQ

The questions we get on every intro call.

  • How do you decide which tier I need?

    Your monthly inbound volume and how strict your SLA needs to be. If you average 25 reports a month and business-hours response is fine, Starter. If you're at 60+ and need 12-hour coverage, Growth. If you can't have surprises and want a dedicated lead, Enterprise. We'll tell you honestly on the intro call — including 'you don't need us yet'.

  • How does this compare to platform-managed triage?

    Different products solving different problems. Independent triage works alongside (or instead of) platform-bundled triage on HackerOne, Bugcrowd, YesWeHack, and similar. Plenty of programs use both.

    See full comparisons
  • What if I exceed my tier's volume in a given month?

    We don't bill overages. If you spike past your tier two months running, we'll suggest moving up. If it was a one-off (a public disclosure stunt, a launch week), we absorb it.

  • Is there a minimum commitment?

    Three months on Starter and Growth. Twelve months on Enterprise (because we hire against it). After the minimum, monthly with 30 days notice either way.

  • What does 'Contact for pricing' mean — are you just hiding the number?

    No. The actual price depends on volume, SLA, integrations, and add-ons. Posting one number means quoting too high for some and too low for others. The intro call gets you a real number within ten minutes.

  • Do you take equity or accept reduced rates for early-stage companies?

    Cash only. We're not your investor and you don't want us to be.

  • Can I pause and resume?

    Yes, on Starter and Growth. Pause for up to two months without losing your spot. Beyond that you're re-onboarding, which we'd rather not do.

  • Do you offer one-off triage or burst capacity?

    Not as a standalone product. If you're an existing client and a public disclosure floods your inbox, we handle it. If you're not, the answer is 'sign up for Starter for the month'.

Not sure which tier?

Tell us your monthly volume and where the program is today. We'll point you at the right one — even if that means starting smaller.

Book an intro call →

Get started

Stop letting reports pile up.

Hunters lose interest. Engineers lose mornings. The next report is already in the inbox.