See what's changed or new in HackerOne.
We now enable select hackers to publish their findings from external sources that don't have HackerOne programs. Want to learn more or join the waitlist? Click here to learn more.
Hackers now have the ability to set up two-factor authentication to add an extra layer of protection to their accounts.
Programs can now filter reports with these new inbox filters:
We introduce the insights page to provide hackers with helpful statistics about programs they're contemplating to hack on. The information is provided to help hackers focus their efforts on the right assets for the right programs. Categories of insights include:
All hackers now have an email alias that forwards emails to the email address they’ve registered with on HackerOne. This provides an easy way for programs to contact you in order to share credentials and information without having to access your actual email address.
We've revamped the look of our Hacktivity feed so that it has a sleeker design. We've also deprecated the Top tab on Hacktivity.
No need to wait for reports to be resolved in order to increase reputation! We now enable hackers to gain reputation whenever their reports are marked as Triaged.
Instead of having programs manually create their own bounty table on the policy page using tedious markdown, we now enable them to easily generate their own bounty table with our new bounty table tool.
We introduce the new Hacker Feedback Dashboard where private programs can see the total feedback their program has received from hackers along with the reasons they’ve declined to participate in their program. The feedback can be viewed at Dashboard > Feedback. Learn more about the feedback dashboard.
We've revamped our triggers functionality so that you can:
We’ve deprecated the threatening term, Response SLA and replaced it with the more friendly terms, Response Targets and Response Standards. Learn more about these new terms.
We’ve deprecated the SLA Violations inbox view and changed the name to Missed targets. The inbox filters are also now Missed response targets and Missed response standards instead of SLA violation reports and SLA Fail reports.
We introduce 4 new inbox labels for reports that don’t meet response standards or targets. The labels are: Response, Triage, Bounty, and Resolve. These labels replace the previous SLA Fail and SLA Miss labels.
The fields on the Reponse Target performance section of the Program Health dashboard have changed to On target, Missed target, and Missed standard. The missed target line is also taken off of the Average Time to Resolution graph on the dashboard.
We’ve modified response efficiency indicators so that:
We now enable you to set your Time to Resolution response standards by severity. Learn more here.
Programs no longer have the ability to toggle invitations on or off with the On/Off button. The equivalent action to turn invitations off is to set the report volume to 0 if they no longer wish to engage with new hackers. To turn invitations on, just increase the report volume to be greater than 0.
Policy and Scope now have their own separate sections under Settings > Program.
Response efficiency timers no longer trigger for reports submitted by internal members of the program.
Programs in controlled launch mode are no longer able to toggle auto-invites as on or off. To change their settings for invitations, they can contact HackerOne support.
We’ve improved the way programs can manage their invitations to hackers. You can now set a report volume target where we’ll monitor and manage your hacker invitations to help you meet your report goal.
The Invite Hackers tab under Settings > Program > Hacker Management has been renamed to Invitations.
The Invitations page includes the new Report Volume field where you can enter the number of reports you'd like to receive in 30 days.
Reports in the Needs More Info state that haven’t been responded to within 30 days automatically get closed with no negative impact to the hacker’s reputation.
Response Programs in Controlled Launch that meet all of the success criteria are now prompted to publicly launch their own program through following the Setup Guide or through email notification.
Response SLA settings are now applied to all reports and not just reports created after modification to SLA settings.
Response SLA settings are also now incorporated into Controlled Launch for Response programs. Programs must’ve received at least 10 reports and invited 100 hackers while maintaining healthy responsive times before launching publicly.
Programs can now see their response efficiency indicator in their program dropdown. This enables them to see their response efficiency status without having to visit their security page.
When Hackers reject an invite, they are given the opportunity to fill out a questionnaire to provide HackerOne with feedback on why they decided to reject the program invitation. The questionnaire shows up directly after hackers reject the invitation.
The Leave Program button is updated to be on the sidebar of the program’s security page. Hackers that leave the program also also get an invitation to fill out the rejection questionnaire.
The notification to private invites is updated so that it doesn't look like a program member invite.
The Response Efficiency box is updated on the program security page to show that metrics are averages of the last 90 days.
There is now a response indicator in the Response Efficiency box of the program's security page to show how healthy a program is. The indicators are either green, orange, or red dots.
We enable programs to utilize the expertise of HackerOne Security Analysts to review those pesky invalid reports so that programs don’t have to deal with them. Learn more about Human Augmented Signal.
You can now set your response service level agreements (SLAs) for time to first response, time to triage, time to bounty, and time to resolution. What do all these terms mean? Find out here.
We now display a colored indicator on a program's security page to show hackers how responsive a program is to report submissions.
Want to take a break or need time to catch up on existing reports? Programs can now pause from accepting new report submissions.
We now enable you to attach pictures and other files to your policy. Simply go to your program's Settings > Policy and there will be a field where you can upload your files. We've got a nice giph on ours. Check it out.
What...do...I...write? We've updated the blank report submission form with a template of what a good report write-up should entail. This'll guide hackers on how to write up a good report.
The Directory page now includes pink and purple lightning icons to highlight programs that are:
Organizations now have the ability to payout and suggest bounties and swag using their internal systems via the API. You can view the API documentation for this here.
We've revamped our Slack integration so that programs can have:
We now enable programs to have this feature that enables hackers to split bounties with other hackers that helped them find the vulnerability.
Programs can now define their scope and the list of assets they want hackers to test. This controls what reports can be submitted and helps to prevent noise. Don’t know what a scope is? Learn more here.
Programs now have the ability to review their hackers and to comment on their behavior. Learn more about hacker reviews.
During hackathon events, programs can now filter reports in their inbox specific to the hackathon so that these reports can be focused on.
We’ve updated the words programs encounter when they onboard onto our platform to reflect our new product changes.
Program administrators now have the ability to enforce notification settings for all members of their program. This ensures that members only receive notifications for the reports they’re subscribed to, instead of being spammed for things that don't apply to them.
We’ve automated our daily Coinbase payouts so that we don’t have to manually do the work and all hackers receiving payments through Coinbase will be paid at a consistent time every day at 11pm UTC.
Organizations running multiple programs are now able to transfer reports between programs to make sure the vulnerability is associated with the correct program.
We've implemented a hacker VPN that:
Contact HackerOne to participate in this beta.
We've updated our vulnerability taxonomy to include a more complete weakness suite based on the industry-standard Common Weakness Enumeration (CWE). This provide a much more complete and accurate description of a reported vulnerability, and more importantly, it adopts a common language that is endorsed by the security community.
HackerOne will now triage and validate disclosure assistance vulnerability reports by severity in order to expedite the disclosure assistance process.
All program users of the HackerOne API are now enabled to choose to award a bounty for a report that was submitted externally to their HackerOne Security Inbox.
We now provide native support for custom integrations with non-financial reward programs such as paying bounties in airline miles. The first user of these new rewards is Lufthansa, which awards bounties in the form of their “Miles and More” program. Please contact your Account Manager for additional information.
We now enable hackers to attach videos to their vulnerability reports.
We now set clearer expectations for self-managed programs that decide to publicly launch their program without having met the launch criteria. We supply warning messages showing that the program hasn’t met the recommended criteria and also require them to select the checkbox acknowledging that they haven’t met the criteria but still want to launch publicly.
When programs award a bounty, we now automatically show them the median, competitive, and top level bounty across the platform for the severity of the vulnerability they are awarding a bounty for. This helps programs to gauge their reward competitiveness and to be as consistent as possible in awarding bounties.
We’ve implemented monthly digest report emails so that if a user is a member of an active HackerOne program, they’ll be able to see how their program is performing and gain insight into any changes to their program. They’ll receive this email every first business day of the month.
The new Hacker Skills feature enables hackers to identify their skill set which enables them to qualify for invitations specific to their skill sets. Each skill a hacker puts will be verified by HackerOne.
We enable you to change the state of a report through utilizing our API.
We’ve improved HackBot to suggest single-click actions, such as:
We’ve totally revamped our Thanks page on the hacker profile so that all the programs hackers have made contributions to, are now listed in the order of most reputation earned. We also display for each program:
Programs can now assign reports to team members using the API. See the API documentation for how to assign a report here.
We’ve created a notifications page so that you can have a clear overview of your notifications. Go to https://hackerone.com/notifications to see your notifications.
Programs now have the ability to further customize their report submission form by choosing and customizing a report template that pre-populates the Issue information field. Learn more about report templates.
We’ve updated the Billing page so that programs can now:
Programs can now edit the vulnerability type of a report after the report has been submitted. This is to correctly associate a report with the right vulnerability type if a hacker selected the wrong one.
We’ve adjusted our reputation system so that reports marked as “Needs More Information” doesn’t result in a -1 reputation hit.
We now display all reports hackers have on hacktivity onto their profile page.
We’ve deprecated the Thanks page at https://hackerone.com/thanks and turned it into a hacker leaderboard that’s segmented into more granular time periods and sortable by Signal, Impact, and Reputation. See who’s on top here.
We introduce the first version of the HackerOne API to empower programs to build custom metrics and dashboards. Learn more about our API Documentation.
Programs now have the ability to publicly share Time Metrics and Reward Metrics. These metrics include:
We now enable programs to make payments using their credit card through our Stripe Integration.
We now enable private programs to configure a minimum threshold for their report volume under which new hackers will be automatically invited.
All reports now include a header with summarized stats on the hacker who submitted the report. The new header fields include:
All reports, including those marked as Not Applicable, Duplicate, and Spam can now be publicly disclosed when both the hacker and the program agree to disclose the report.
We now support message threading for notification emails so that similar emails are grouped together.
We introduce the ability for programs to award a structured bonus in addition to the standard bounty for a vulnerability. Read about it in our blog.
We give programs the ability to tune the Rate Limiter by specifying minimum Signal Requirements for hacker participation. We’ve also updated the Rate Limiter to incorporate additional intelligent inputs.
We’ve overhauled the hacker invitation process so that hackers with the highest Reputation, Signal, and Impact will have a greater likelihood of being invited to private programs. Read our blog post to learn more about how invitations work.
Hacker profiles now include a Thanks page that lists all programs the hacker has submitted vulnerability reports to. For example, check out: https://hackerone.com/atom/thanks
We add these new default views to the inbox to better organize reports:
Programs and hackers can now preview image attachments on the report form.
We introduce the HackerOne Success Index - a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs. The index calculates 6 dimensions by which programs can benchmark their success each month. Learn more here.
We provide hackers with the ability to request help in contacting an organization with a vulnerability through Disclosure Assistance. This enables HackerOne to take steps to identify the organization’s official vulnerability reporting process. Read more in our blog.
We’ve updated our triggers functionality so that an interstitial shows prior to report submission. This helps hackers to avoid the submission of a number of out-of-scope or commonly reported false positives.
We’ve updated our report classification engine to detect common outputs from automated vulnerability scanners that are frequently flagged as invalid. This enables the quality of report submissions to improve as hackers can check the report before submission.
We’ve improved our Single-Sign-On (SSO) options with support for SAML. Response teams using an SSO provider to authenticate can use those services for centralized authorization and identity management.
If any disagreements or discussions arise regarding a report, hackers and programs can now request mediation and our experts will provide guidance on the situation.
We’ve added integrations with:
Read more about how these integrations work here.
We introduce the Vulnerability Coordination Maturity Model which helps programs increase their dependence on internet-connected software. Learn more about this model in our blog post.
We’ve added integrations for ServiceNow and Assembla.
We’ve integrated tax forms into our product so that hackers can quickly sign them to get paid.
HackerOne program administrators can set access rights for different team members who might play different roles on your team. Learn more here.
We now enable you to integrate HackerOne with GitHub.
Programs and hackers can now summarize the content of a public disclosure in the summary field.
Hackbot is now able to detect duplicate and related reports to help programs associate and close reports more quickly.
We introduce the new trigger option to post a public comment on the report.
We introduce Reputation - a system that gives additional recognition to the best researchers. A hacker’s reputation measures how likely their finding is to be immediately relevant and actionable.
We introduce these 2 new integrations with HackerOne:
We’ve redesigned the security inbox to enable faster bug processing for programs. The new inbox enables programs to open reports inline so you don’t have to click backward or forward to navigate between reports.
We introduce keyboard shortcuts to make the workflow more efficient with a faster navigation.
Our new inbox filtering search functionality enables programs and hackers to quickly target the bug they're looking for without having to scroll through their inbox.
We introduce these new integrations with HackerOne:
We introduce the new trigger option to change the report state to Needs more info.
We enable programs and hackers to export their reports as .CSV files to enable them to quickly generate a spreadsheet of selected reports with key details.
We enable programs to configure IP whitelisting to control which IP ranges their program members must be coming from in order to access HackerOne.
We introduce private programs to hackers that are only accessible through invitations.
We now support hackers to receive payouts through Bitcoin.
Programs and hackers can now export their reports as JSON files.
Program members can now set up two-factor authentication to securely log in to HackerOne.