See what's changed or new in HackerOne.
We've released this new endpoint to our API:
We've released these new endpoints to our API:
You can now better preview programs when hovering over program names with our revamped hover state profile popup. You can quickly view important information regarding the program when hovering over the program name on these pages:
We've redesigned the program profile pages to give them a sleeker look.
It can take a long time to set up Target Scope in Burp Suite, especially for programs with long or complicated scopes. Now you can download a Burp Suite project file to link HackerOne scope to the Burp Suite Target Scope.
We've updated the structured scopes table on the program policy page with a new bounty eligible and ineligible icon to clearly show which assets are eligible and ineligible for bounties.
You can convert attachments to be internal for all redactable reports in the Convert attachments to internal-only section when redacting a report.
After the beta launch in March, all hackers can now subscribe to receive notifications from program updates.
You can also now set your notification preferences under the new Notification Preferences page in your user settings.
Easily find all reports you've been mentioned in to keep track of which reports need a response from you with our new mentions filter.
After the beta launch in March, custom fields is now available to all Enterprise programs.
We introduce the new Also mark as ineligible for bounty checkbox so that programs can now mark a report as being ineligible for bounty when awarding swag.
Programs are also able to now award swag to reports that are marked as ineligible for bounty.
Say goodbye to the old notifications indicator next to your profile icon. We introduce a new bell icon to notify you of any new notifications. If you have more than 25 unread notifications, we've truncated the notifications number to be capped at 25+.
Say goodbye to having to always re-select how you want your inbox sorted. Your selected sort order will now automatically save when creating your custom inbox view.
You can now filter through your inbox reports by submission date in order to quickly find reports submitted after or within a certain time.
The new Group Members filter enables you to search for reports by individual members within a group. Previously, you couldn’t see which members were assigned to which reports within the group. This enables you to better keep track of reports and the individuals assigned to them.
We’ve deprecated the Insights tab from program pages.
We’ve revamped the Program Dashboard with new metric tables and charts that give better insight into reporting and analytics for programs.
We've added these improvements to the bi-directional Jira integration:
The HackerOne to Jira escalation template now includes all additional fields that are either a type of
date. This enables Jira users to have all fields in Jira be mapped to a value from the HackerOne report. All available Jira fields will automatically be pulled from the selected issue type.
Jira users can now sync attachments from their HackerOne report to Jira by selecting Synchronize attachments in the Select HackerOne to Jira events section when configuring their Jira integration.
Jira users can now select which Jira closed issue status should result in the closure of the HackerOne report.
With severity to priority mapping, Jira users can map HackerOne severity ratings to the priority fields they have in Jira. This enables the right priority to be set when escalating a report to Jira.
We've revamped the My Stats section of the Hacker Dashboard with expanded graphs where you can view your bounties, reports, and reputation over time. We've also included a new My top earning programs section to help hackers see which programs they're earning the most bounties from.
Programs can now select to notify their subscribers of changes in their Policy and Scope settings pages with our new Notify subscribers of changes checkbox. The checkbox can be found for changes to these pages:
You can now view previous changes made on bounty tables for all programs to see what's been changed over time with our bounty table versions page. Click on View changes on the Rewards section of the program policy page to access the versions page.
We introduce custom fields to enable programs to add custom information to their reports to help them better manage and analyze their internal data by the categories that they define to be important. This feature is only available for Enterprise programs.
We've also added custom fields to the API to enable programs to search and filter reports by custom field values.
Select hackers now receive program notifications to all program updates via the product and email for changes to the:
We've also implemented a new Subscribe button on the policy page to enable hackers to easily subscribe to program notifications. Note: The button is currently viewable for select hackers.
We've deprecated the Custom recipient field on the Message Hackers page as the feature wasn't found to be very valuable for programs.
Programs can now opt-in to purchase a bundle of retests with their HackerOne subscription. With bundles, programs are no longer charged the processing fee for each bounty, and can also opt-in to purchase more retests when they run out.
We’ve renamed the Accepted Invitations page on the Hacker Dashboard to now be called My Programs. We’ve also revamped the page so that hackers can better manage all of the programs they’re a part of by including:
We've renamed the Getting Started page to now be called Overview. We provide new hackers that haven't submitted any vulnerabilities with a getting started checklist with 4 tasks to complete to guide them to be more successful on the platform.
After hackers have submitted their first vulnerability, they'll be able to view statistics for these personal metrics on their Overview page:
We introduce the new Getting Started page on the Hacker Dashboard. This will guide hackers and direct them to the right pages to help them get the information they need to successfully start out on HackerOne
Want all of your report data for safe keeping or just for analytical purposes? Programs can now export all of their reports through our new Export Reports feature.
Jira users can now link their HackerOne reports to their existing Jira tasks.
Jira users can also now select from multiple projects they want their Jira task to link to.
Hackers in India will no longer lose a portion of their bounty to transfer fees as we now support payments to Indian Rupees.
When new users sign up to use HackerOne, they can can now more clearly distinguish whether they are a hacker or a company wanting to set up an account.
You can now clearly define whether you're a hacker or someone running a program within the new Account Preferences tab under your profile settings. This will help tailor your HackerOne experience to better fit your needs.
We've now implemented infinite scrolling on multiple pages so that you no longer have to click on the Load more button to view more information. The information now automatically populates.
We've totally revamped our directory page so that you can better search and view programs. You can now filter your search results by program features and by asset type, and we also enable you to view various stats for each program on one page.
You can now bookmark your favorite programs on the directory by starring them.
Our new Hacker Dashboard enables hackers to better manage and review their:
We now enable you to search within Hacktivity. You can search for reports regarding programs and weaknesses you're interested to read about in the search bar to better learn how specific weaknesses were exploited in various programs.
We've deprecated the term "Public Disclosure" and now simply just call it Disclosure.
Private programs can now opt-in to enable hackers to disclose reports to other hackers within their program. Upon disclosure, contents of the report will only be visible to participants within that private program. This enables hackers to share their vulnerability findings with other hackers in the program, and can also increase awareness for other hackers as they can better see what vulnerabilities have already been found for the program.
We now enable you to cancel disclosure requests. You can cancel your own requests, and hackers and programs can cancel the requests they receive from one another if they choose not to disclose a report.
Hacker101 CTF is now linked to your HackerOne account. Every time you earn 26 points in the CTF, you’ll be put in the priority queue to receive invitations to private programs. We also enable you to create your own groups to manage hackers working through the CTF.
We added a new activities API endpoint that enables you to fetch all activities of your program incrementally by time. Learn more about the activities endpoint.
Hackers can now configure the HackerOne VPN and access their VPN credentials for VPN enabled programs.
We've globally launched our retesting feature so that all programs can now initiate retests on any of their resolved reports. Invitations for retests now expire after 24 hours, and hackers are now required to provide a short summary of how they retested the vulnerability. Hackers can also provide attachments of their findings.
Programs can now elect to invite hackers to retest their vulnerabilities to verify fixes. Each hacker that participates in the retest will receive a $100 bounty upon completion. Learn more about retesting.
Programs can now require hackers to have two-factor authentication enabled in order to submit new reports to their program.
Programs can now embed the HackerOne report submission form onto their own website. This enables hackers to submit reports without having to create an account on HackerOne. Learn more here.
Anyone can now review and manage their active HackerOne sessions on all of the devices they're signed in to on the new Sessions page.
We've enabled the beta Credential Management feature so that select programs can share credentials with hackers through the HackerOne UI. This enables hackers to quickly retrieve the credentials needed to find vulnerabilities.
We now enable hackers to publish their findings from external sources that don't have HackerOne programs. Click here to learn more.
Hackers now have the ability to set up two-factor authentication to add an extra layer of protection to their accounts.
Programs can now filter reports with these new inbox filters:
We introduce the insights page to provide hackers with helpful statistics about programs they're contemplating to hack on. The information is provided to help hackers focus their efforts on the right assets for the right programs. Categories of insights include:
All hackers now have an email alias that forwards emails to the email address they’ve registered with on HackerOne. This provides an easy way for programs to contact you in order to share credentials and information without having to access your actual email address.
We've revamped the look of our Hacktivity feed so that it has a sleeker design. We've also deprecated the Top tab on Hacktivity.
No need to wait for reports to be resolved in order to increase reputation! We now enable hackers to gain reputation whenever their reports are marked as Triaged.
Instead of having programs manually create their own bounty table on the policy page using tedious markdown, we now enable them to easily generate their own bounty table with our new bounty table tool.
We introduce the new Hacker Feedback Dashboard where private programs can see the total feedback their program has received from hackers along with the reasons they’ve declined to participate in their program. The feedback can be viewed at Dashboard > Feedback. Learn more about the feedback dashboard.
We've revamped our triggers functionality so that you can:
We’ve deprecated the threatening term, Response SLA and replaced it with the more friendly terms, Response Targets and Response Standards. Learn more about these new terms.
We’ve deprecated the SLA Violations inbox view and changed the name to Missed targets. The inbox filters are also now Missed response targets and Missed response standards instead of SLA violation reports and SLA Fail reports.
We introduce 4 new inbox labels for reports that don’t meet response standards or targets. The labels are: Response, Triage, Bounty, and Resolve. These labels replace the previous SLA Fail and SLA Miss labels.
The fields on the Reponse Target performance section of the Program Health dashboard have changed to On target, Missed target, and Missed standard. The missed target line is also taken off of the Average Time to Resolution graph on the dashboard.
We’ve modified response efficiency indicators so that:
We now enable you to set your Time to Resolution response standards by severity. Learn more here.
Programs no longer have the ability to toggle invitations on or off with the On/Off button. The equivalent action to turn invitations off is to set the report volume to 0 if they no longer wish to engage with new hackers. To turn invitations on, just increase the report volume to be greater than 0.
Policy and Scope now have their own separate sections under Settings > Program.
Response efficiency timers no longer trigger for reports submitted by internal members of the program.
Programs in controlled launch mode are no longer able to toggle auto-invites as on or off. To change their settings for invitations, they can contact HackerOne support.
We’ve improved the way programs can manage their invitations to hackers. You can now set a report volume target where we’ll monitor and manage your hacker invitations to help you meet your report goal.
The Invite Hackers tab under Settings > Program > Hacker Management has been renamed to Invitations.
The Invitations page includes the new Report Volume field where you can enter the number of reports you'd like to receive in 30 days.
Reports in the Needs More Info state that haven’t been responded to within 30 days automatically get closed with no negative impact to the hacker’s reputation.
Response SLA settings are now applied to all reports and not just reports created after modification to SLA settings.
Response SLA settings are also now incorporated into Controlled Launch for Response programs. Programs must’ve received at least 10 reports and invited 100 hackers while maintaining healthy responsive times before launching publicly.
Programs can now see their response efficiency indicator in their program dropdown. This enables them to see their response efficiency status without having to visit their security page.
When Hackers reject an invite, they are given the opportunity to fill out a questionnaire to provide HackerOne with feedback on why they decided to reject the program invitation. The questionnaire shows up directly after hackers reject the invitation.
The Leave Program button is updated to be on the sidebar of the program’s security page. Hackers that leave the program also also get an invitation to fill out the rejection questionnaire.
The notification to private invites is updated so that it doesn't look like a program member invite.
The Response Efficiency box is updated on the program security page to show that metrics are averages of the last 90 days.
There is now a response indicator in the Response Efficiency box of the program's security page to show how healthy a program is. The indicators are either green, orange, or red dots.
We enable programs to utilize the expertise of HackerOne Security Analysts to review those pesky invalid reports so that programs don’t have to deal with them. Learn more about Human Augmented Signal.
You can now set your response service level agreements (SLAs) for time to first response, time to triage, time to bounty, and time to resolution. What do all these terms mean? Find out here.
We now display a colored indicator on a program's security page to show hackers how responsive a program is to report submissions.
Want to take a break or need time to catch up on existing reports? Programs can now pause from accepting new report submissions.
We now enable you to attach pictures and other files to your policy. Simply go to your program's Settings > Policy and there will be a field where you can upload your files. We've got a nice giph on ours. Check it out.
The Directory page now includes pink and purple lightning icons to highlight programs that are:
Organizations now have the ability to payout and suggest bounties and swag using their internal systems via the API. You can view the API documentation for this here.
We've revamped our Slack integration so that programs can have:
We now enable programs to have this feature that enables hackers to split bounties with other hackers that helped them find the vulnerability.
Programs can now define their scope and the list of assets they want hackers to test. This controls what reports can be submitted and helps to prevent noise. Don’t know what a scope is? Learn more here.
Programs now have the ability to review their hackers and to comment on their behavior. Learn more about hacker reviews.
During hackathon events, programs can now filter reports in their inbox specific to the hackathon so that these reports can be focused on.
We’ve updated the words programs encounter when they onboard onto our platform to reflect our new product changes.
Program administrators now have the ability to enforce notification settings for all members of their program. This ensures that members only receive notifications for the reports they’re subscribed to, instead of being spammed for things that don't apply to them.
We’ve automated our daily Coinbase payouts so that we don’t have to manually do the work and all hackers receiving payments through Coinbase will be paid at a consistent time every day at 11pm UTC.
Organizations running multiple programs are now able to transfer reports between programs to make sure the vulnerability is associated with the correct program.
We've implemented a hacker VPN that:
Contact HackerOne to participate in this beta.
We've updated our vulnerability taxonomy to include a more complete weakness suite based on the industry-standard Common Weakness Enumeration (CWE). This provide a much more complete and accurate description of a reported vulnerability, and more importantly, it adopts a common language that is endorsed by the security community.
HackerOne will now triage and validate disclosure assistance vulnerability reports by severity in order to expedite the disclosure assistance process.
All program users of the HackerOne API are now enabled to choose to award a bounty for a report that was submitted externally to their HackerOne Security Inbox.
We now provide native support for custom integrations with non-financial reward programs such as paying bounties in airline miles. The first user of these new rewards is Lufthansa, which awards bounties in the form of their “Miles and More” program. Please contact your Account Manager for additional information.
We now enable hackers to attach videos to their vulnerability reports.
We now set clearer expectations for self-managed programs that decide to publicly launch their program without having met the launch criteria. We supply warning messages showing that the program hasn’t met the recommended criteria and also require them to select the checkbox acknowledging that they haven’t met the criteria but still want to launch publicly.
When programs award a bounty, we now automatically show them the median, competitive, and top level bounty across the platform for the severity of the vulnerability they are awarding a bounty for. This helps programs to gauge their reward competitiveness and to be as consistent as possible in awarding bounties.
We’ve implemented monthly digest report emails so that if a user is a member of an active HackerOne program, they’ll be able to see how their program is performing and gain insight into any changes to their program. They’ll receive this email every first business day of the month.
The new Hacker Skills feature enables hackers to identify their skill set which enables them to qualify for invitations specific to their skill sets. Each skill a hacker puts will be verified by HackerOne.
We enable you to change the state of a report through utilizing our API.
We’ve improved HackBot to suggest single-click actions, such as:
We’ve totally revamped our Thanks page on the hacker profile so that all the programs hackers have made contributions to, are now listed in the order of most reputation earned. We also display for each program:
Programs can now assign reports to team members using the API. See the API documentation for how to assign a report here.
We’ve created a notifications page so that you can have a clear overview of your notifications. Go to https://hackerone.com/notifications to see your notifications.
Programs now have the ability to further customize their report submission form by choosing and customizing a report template that pre-populates the Issue information field. Learn more about report templates.
We’ve updated the Billing page so that programs can now:
Programs can now edit the vulnerability type of a report after the report has been submitted. This is to correctly associate a report with the right vulnerability type if a hacker selected the wrong one.
We’ve adjusted our reputation system so that reports marked as “Needs More Information” doesn’t result in a -1 reputation hit.
We now display all reports hackers have on hacktivity onto their profile page.
We’ve deprecated the Thanks page at https://hackerone.com/thanks and turned it into a hacker leaderboard that’s segmented into more granular time periods and sortable by Signal, Impact, and Reputation. See who’s on top here.
We introduce the first version of the HackerOne API to empower programs to build custom metrics and dashboards. Learn more about our API Documentation.
Programs now have the ability to publicly share Time Metrics and Reward Metrics. These metrics include:
We now enable programs to make payments using their credit card through our Stripe Integration.
We now enable private programs to configure a minimum threshold for their report volume under which new hackers will be automatically invited.
All reports now include a header with summarized stats on the hacker who submitted the report. The new header fields include:
All reports, including those marked as Not Applicable, Duplicate, and Spam can now be publicly disclosed when both the hacker and the program agree to disclose the report.
We now support message threading for notification emails so that similar emails are grouped together.
We introduce the ability for programs to award a structured bonus in addition to the standard bounty for a vulnerability. Read about it in our blog.
We give programs the ability to tune the Rate Limiter by specifying minimum Signal Requirements for hacker participation. We’ve also updated the Rate Limiter to incorporate additional intelligent inputs.
We’ve overhauled the hacker invitation process so that hackers with the highest Reputation, Signal, and Impact will have a greater likelihood of being invited to private programs. Read our blog post to learn more about how invitations work.
Hacker profiles now include a Thanks page that lists all programs the hacker has submitted vulnerability reports to. For example, check out: https://hackerone.com/atom/thanks
We add these new default views to the inbox to better organize reports:
Programs and hackers can now preview image attachments on the report form.
We introduce the HackerOne Success Index - a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs. The index calculates 6 dimensions by which programs can benchmark their success each month. Learn more here.
We provide hackers with the ability to request help in contacting an organization with a vulnerability through Disclosure Assistance. This enables HackerOne to take steps to identify the organization’s official vulnerability reporting process. Read more in our blog.
We’ve updated our triggers functionality so that an interstitial shows prior to report submission. This helps hackers to avoid the submission of a number of out-of-scope or commonly reported false positives.
We’ve updated our report classification engine to detect common outputs from automated vulnerability scanners that are frequently flagged as invalid. This enables the quality of report submissions to improve as hackers can check the report before submission.
We’ve improved our Single-Sign-On (SSO) options with support for SAML. Response teams using an SSO provider to authenticate can use those services for centralized authorization and identity management.
If any disagreements or discussions arise regarding a report, hackers and programs can now request mediation and our experts will provide guidance on the situation.
We’ve added integrations with:
Read more about how these integrations work here.
We introduce the Vulnerability Coordination Maturity Model which helps programs increase their dependence on internet-connected software. Learn more about this model in our blog post.
We’ve added integrations for ServiceNow and Assembla.
We’ve integrated tax forms into our product so that hackers can quickly sign them to get paid.
HackerOne program administrators can set access rights for different team members who might play different roles on your team. Learn more here.
We now enable you to integrate HackerOne with GitHub.
Programs and hackers can now summarize the content of a public disclosure in the summary field.
Hackbot is now able to detect duplicate and related reports to help programs associate and close reports more quickly.
We’ve redesigned the security inbox to enable faster bug processing for programs. The new inbox enables programs to open reports inline so you don’t have to click backward or forward to navigate between reports.
We introduce keyboard shortcuts to make the workflow more efficient with a faster navigation.
Our new inbox filtering search functionality enables programs and hackers to quickly target the bug they're looking for without having to scroll through their inbox.
We introduce these new integrations with HackerOne:
We introduce the new trigger option to change the report state to Needs more info.
We enable programs and hackers to export their reports as .CSV files to enable them to quickly generate a spreadsheet of selected reports with key details.
We enable programs to configure IP whitelisting to control which IP ranges their program members must be coming from in order to access HackerOne.
We introduce private programs to hackers that are only accessible through invitations.