See what's changed or new in HackerOne.
Stay updated: RSS | Atom | JSON Feed
Publicly disclosed reports are now automatically summarized using AI to make them even easier to consume. Summaries are provided in five languages.
Hackers can now search for :mag: Opportunities by program handle, policy, technologies, industry, and asset identifiers through the search field. This update makes it possible to quickly and accurately locate the most relevant opportunities, increasing hacker's chances of finding the correct program to submit a report.
We're excited to announce that we released Scope Management to all customers. We've entirely revamped our data model to support new functionality and scale our platform into a multi-product one.
We are excited to announce the first iteration of :idv: ID Verification, a light version of H1 Clear! Hackers will now be able to go through a self-service ID verification process to instantly confirm their identity. Any hacker with a valid report can apply and get that sweet green checkmark on their profile.
This initial release is just the beginning. Future releases will enable programs to invite only ID-verified hackers to their programs. This will give programs access to ID-verified hackers without purchasing the H1 Clear product.
Campaigns are time-bound promotions where the submitters get a higher bounty than usual for a valid report. H1 Campaigns are available for all customers using the Enterprise edition of HackerOne Bounty. Customers that had access to Campaigns before general availability will still keep their access. There is also a new Campaign Manager that allows you to see all of your campaigns at a glance.
With the new "Assets CSV Export" feature, customers can now easily export their asset data, including asset name, URL, associated tags, associated scope, risk, and other data. This feature allows customers to export their assets in bulk and apply filters based on their search criteria, saving them time and effort.
We've made managing multiple programs easier by allowing you to filter assets for a specific program. Get a quick overview of what's in or out of scope for that particular program by filtering for it.
Our scope changelog now shows only the changed assets, supporting growing scopes and making it easier for hackers to view changes. Scan for changes easily and efficiently.
Our new scope tab on the asset inventory allows you to quickly see where assets are in scope and out of scope. With program-specific scope instructions, you can provide specific instructions based on the program in which you're testing the asset. Provide hackers with more detailed insights and optimize your testing strategies.
We learned that it’s important to highlight assets and their instructions directly when navigating to the scope page of your program. We’ve changed the behavior of the scope page to default to an ungrouped view and made the grouping by domain an optional view for hackers.
Most VDP programs have an open scope. With our scope introduction feature, you can define a free-form text on top of the scope page, avoiding showing "No assets in scope.”. Keep hackers engaged and informed, and provide them with clear instructions for testing.
Customers can now choose to clone an existing pentest when making a new one, and pentests can now have custom names. When creating a new pentest, customers can select the option to clone an existing pentest instead. This will prepopulate the form with details from the original pentest such as scope, asset details, and contact preferences.
HackerOne only accepts Hacker Mediation Requests for reports submitted to Basic programs that are managed by HackerOne.
We've brought back the ability to view archived assets. This feature comes in handy when you want to bring back a previously used asset or if you accidentally archived an asset.
Customers can now see DNS and WHOIS information for domain assets that are imported from the ASM scanner.
Opportunity Discovery cards have been updated to improve clarity and readability.
If the original hacker rejects the retest, the report will pass back to the customer in its previous state. Customers are also able to cancel a retest if the original hacker does not respond in time. Note: Retesting is not available for anonymous reports.
Programs will now automatically have three Slack channels created when their pentest opens to applications. This is where you can find all appropriate communication channels.
Programs now have a new Scope tab on the Security page. From here, both hackers and programs can see the assets' CVSS score, whether they are in or out of scope, and whether or not they are eligible for bounty.
The 72hr timer from retests has been removed, so there will be no time limit to accept or confirm retests.
Hacker reports and responses can be translated into Dutch, German, Hindi, and Spanish. To translate, click on any part of the report and select a language in the kabob menu (3 vertical dots). You have to select each response to translate it, and it works on both Inbox and public Hactivity content.
Customers can now group assets by tags, including any custom tags they have made! The sorting stays in place during searches as well, so all results will be sorted. Customers can also choose no grouping to show a full list of assets.
If the ASM scanner finds a risk that contains a CVE, clicking the CVE ID will now open our own intelligence tab with more information about the CVE. The platform context helps customers make better decisions on the importance and urgency of the risk.
Hackers can now sort results on the Opportunities page by high or low bounty.
The Consumption Subscription Card is now available to all customers with the new Pentest Consumption Subscriptions. Consumption Subscription Cards show vital information regarding each consumption subscription, such as:
Note: this is only for Pentests sold under the new pricing model, rolled out Sept 27, 2022.
Customers can now upload important artifacts such as architectural diagrams or product documentation during the pentest setup process. These resources will eventually be shared with the pentest team and will help inform and guide their testing.
Hackers can now filter opportunities by bounty amount. See it now here.
The Engagements page (currently in Beta) is a top-level navigation page where customers can find all the ways to engage with hackers. This includes any programs they are currently running and education on what other engagements they could run.
Program Levels is a structured framework that lets programs level up by publicly committing to certain best practices. Programs that meet all requirements earn a Program Level badge displayed on their program card and policy page.
Companies can now institute Gold Standard Safe Harbor. Gold Standard Safe Harbor statements improve the hacker/program experience and help protect good faith research. Check out our FAQ page for more information.
Hackers can now find pentests on the Opportunities page. This will give pentesters a better overview of the opportunities available for them across the platform.
The Submissions & Bounty Dashboard was updated to use a faster performing backend analytics engine.
HackerOne Assets combines the core capabilities of Attack Surface Management (ASM) and Asset Inventory with the reconnaissance skills of ethical hackers to bring visibility, tracking, and risk propensity to an organization’s digital asset landscape.
Hackers can now sort programs by the last accepted invitation date on the My Programs page under Opportunities.
Custom Pentest Naming allows all Pentest customers to customize their pentest names according to their internal conventions. To use Custom Pentest Naming, go to the Overview of a pentest, click the title, and save. The new name will populate instantly across the platform.
Pentest Tables enable team members to view all of their Pentests in one place. To see Pentest Tables in action, go to the organization landing page and click on the "Pentests" tab. You will also be redirected to this tab if the selected organization has no non-pentest programs.
The Duplicate Detection Console streamlines customers' ability to detect duplicate reports across all their programs.
Customers will now be able to see all programs for their organization under Organization Settings > Programs, and will be able to navigate to all the relevant areas for that program from there.
There is now an "Unassign Report" option in the action picker at the bottom of a report. Users can also unassign reports in bulk by selecting multiple reports in the inbox.
Users can now switch between Organization view and Hacker view using the dropdown next to the avatar in the top right of the navigation bar.
We've added the ability to manage credentials by specific assets.
The tester will now have 72 hours to complete retesting once a retest is claimed.
We’ve made improvements to our Invitation Engine. Using program requirements and customer preferences to match hackers to opportunities, we provide our hacker community with much more personalized recommendations.
The Organization Settings page allows customers with multiple programs to manage users from a single page.
We released fixes and performance optimizations to ensure consistent data between the Statistics page and the Submissions and Bounty dashboard.
Team Member Eligibility settings allow you to configure a list of email domains that are eligible to join your program. These settings will allow or block a user when accepting an invitation, but will not affect any users that are already a member of the program. You can set team member eligibility regardless of SAML usage.
The Submissions & Bounty Dashboard shows data on all report submissions broken up by different metrics. Bounty programs will show the number of valid submissions for that category on the left, with bounties paid out for that category on the right. You can export all of your data at once as a PDF or by sections as a CSV file.
This feature is available for Enterprise programs only. If you want to integrate the same program to multiple Jira instances, you can follow all the steps for each integration.
The AWS Security Hub integration exchanges vulnerability findings between HackerOne and Security Hub, streamlining workflows to accelerate security actions.
The customer homepage is the starting point for customers to see an overview of all programs and latest report activity and mentions in their organization. Quickly access the area that requires your attention, regardless of the program it's associated with.
Managing all team members from a central place with our new Organization-level User Management. Regardless of which program they can access, you can now manage team members and API access from a single location.
Improving the user experience while viewing reports. Making it easy to see all relevant information at a glance while taking action on a report.
You can now search for programs in the Program picker to easily find the right program you are looking for.
The Splunk integration is now embedded into the HackerOne platform to make it easier to setup and maintain the integration.
We launch the new Overview page of the program dashboard to provide an overarching view of important data and statuses regarding your program.
You can now generate a proof of compliance report for your program on HackerOne to prove that your organization has a vulnerability disclosure policy (VDP) or bug bounty program (BBP) in place.
Hackers can now set which programs they’re open to collaborating on so that they can work with other hackers in finding vulnerabilities.
We introduce the new Collaborators tab on the program’s security page, where you can see which hackers are open to collaboration and contact them.
Programs can now create hacker facing [custom fields] to require specific information from hackers regarding the vulnerability they found. This speeds up the remediation process as it’ll minimize the back-and-forth between the hacker and the program in getting necessary information.
Any changes to custom fields will now be shown in the report timeline. This enables programs to properly keep track of all changes to their custom fields.
Enterprise programs can now integrate HackerOne with Azure DevOps to synchronize their HackerOne events to Azure DevOps and vice versa.
Programs can now set up multiple integrations with HackerOne and select which issue tracker they want to add a reference to.
We've updated the reference ID field for adding integrations with a new Add reference to issue tracker button to more clearly guide users with adding a reference to their integrated issue tracker.
You can now see which programs enable you to collaborate with other hackers in submitting vulnerabilities with the new Bounty splitting filter and label in the Directory.
We've added the new Collaborations filter in Hacktivity so that hackers can easily see which reports were collaborated on.
You can now export your reports to a PDF and choose to include the full timeline, the reporter timeline, or the triage summary when exporting.
All Professional and Enterprise programs can now participate in retesting as retests are now included by default rather than as a separate add-on. For Response programs using HackerOne's triage services, the triage team will retest the vulnerabilities to verify the fixes instead of hackers.
If you're currently running a Bounty or Challenge program, awards for retests will be paid from your bounty pool. If you're using the consumption tier to pay for your bounties, payments for retests will count towards the tier instead.
We’ve added new HackerOne leaderboards so that hackers can see who’s on top and where they stand in different categories of leaderboards.
Hackbot can now provide remediation guidance from MITRE to help programs with mitigating their vulnerabilities. Through this, programs can also provide their own custom remediation guidance to communicate to their internal team.
Hackers can now rate their triage experience for all managed programs they submit a report to. The ratings will be used to improve the triage experience for hackers.
Me filter for the Assigned to filter category now only shows reports that you are directly assigned to.
To see all of the reports that are assigned to you and the groups you are a part of, you can select the new
Me and my groups filter.
We introduce the Microsoft Teams integration to all Enterprise programs. This enables Microsoft Teams users to keep up-to-date with what's happening in their program as they can now receive notifications of HackerOne report activities directly in their selected channels.
We now offer a bi-directional ServiceNow integration to all Enterprise programs. This will create a better workflow of remediating security vulnerabilities as ServiceNow users can synchronize their HackerOne reports to ServiceNow incidents and vice versa, from ServiceNow to HackerOne.
We’ve revamped the HackerOne Gateway (VPN) for hackers so that hackers can now choose to connect between these 2 different Gateway locations:
This gives hackers the ability to work on a VPN instance with a lower latency, which improves their Gateway experience with a faster connection.
We've increased report transparency for hackers by actively showing that their report is being looked at. This helps hackers to have more visibility in the triage process. To increase report transparency we show:
Programs managed by HackerOne can now rate their triage experience. The ratings will be used to improve the triage experience for managed programs.
We now enable pentesters to provide feedback about their pentest experience. Both pentesters and pentest programs can also provide feedback on the pentesters they worked with. This will enable pentesters and pentest programs to see what they've done well and/or how they can better improve.
We've added a new My Feedback section to the hacker settings where pentesters can see all of the feedback they've received from pentesters and pentest programs they've worked with. They can also elect to make their feedback public on their profile.
We've also launched a new Testimonials section on the hacker profile page where hackers can showcase their skills and the positive feedback they've received from other hackers.
If you need to switch your identity provider or if your current SAML certificate is expiring, you can now configure an alternative certificate to avoid having to disable your SSO integration.
Enterprise programs can now utilize webhooks to build real-time integrations that subscribe to certain report and program events on HackerOne.
Enterprise programs can also now integrate PagerDuty with HackerOne so that each time an event is triggered in HackerOne, a PagerDuty incident can automatically be created.
We've made these changes to how reputation, signal and impact are calculated:
We now show the updated CVSS details within the report activity when a program decides to change the severity level of a vulnerability.
We've added a new Resolution Target field in the report header for all triaged reports. This enables members of the program's response team to clearly see when they should aim to resolve the report by. The date is calculated based off of what the program's response target settings are set to.
We've officially launched Pentests as a new product offering to help companies better secure their applications and meet regulatory compliance standards.
We've revamped the Response Targets dashboard and now call it Explore. Programs can now analyze their response targets, submissions and spend data, and Enterprise programs can also create benchmarks to see how they're doing in comparison to other programs.
Programs can now verify and enable SAML authentication on their own without needing to wait for HackerOne to approve their SAML request. We've also revamped the SAML authentication page and added guided steps to make the set up more clear.
We've also added a new Domain Verification page where programs can verify ownership of their domains for the set up of SAML authentication.
We now officially offer Hacker-Powered Retesting which enables programs to request hackers to verify that their vulnerabilities have been fixed.
We've redesigned the Report Submission Page to have a sleeker look.
We've also added a new report preview section to the Report Submissions Page so that hackers can review their report details before submitting them.
Hackers can now choose to receive their payouts monthly instead of daily, so that they can receive all their payments from the month in 1 batch payment.
We've revamped the Invitation Preferences page with more options to specify and control your invitation settings.
In order to keep up-to-date with your favorite hackers, we introduce the new Hacker Following feature. This enables you to keep track of your favorite hackers and to quickly see their activity on HackerOne.
You can filter the activity of the hackers you're following with our new Hackers I am following filter on the Hacktivity page.
We also introduce the Followed Hackers page on the Hacker Dashboard to help you manage the hackers you're following.
You can now customize your HackerOne interface by choosing to view everything in dark mode. You can toggle your view experience by going to your profile drop-down.
Programs can now add specific labels pertaining to their assets. These asset labels provide more granular data about each program and the assets associated with it, which will help with matching hackers to specific programs.
Programs can add asset labels to these categories:
The labels will appear on your program policy page under Scopes.
We introduce the new response target benchmarks dashboard that enables programs to compare their response times to those of other programs. This will help programs see what areas they need to focus on to improve their program.
We've made these improvements to CVE IDs to help users get their CVE IDs faster and to simplify the publication process:
Programs can now request hackers to provide their full name and address when accepting the Digital Custom Agreement.
Hackers can now view their signed custom agreements on the new Digital Custom Agreements page within their profile settings.
To simplify the set up process, programs can now set up their Jira Integration without needing Jira Administrator permissions.
Hackers can now control whether they want their earnings to be visible on Hacktivity and their profile. Go to your profile's Settings > Account Preferences to manage your bounty visibility.
Programs using the Phabricator integration can now link their Phabricator tickets to their reports on HackerOne.
To better protect your sensitive information, we now provide a suggested redaction notification when your report comments contain sensitive information such as cookies, credentials, and authentication tokens.
Jira users can now remove a Jira reference on a report in case they linked the wrong Jira ticket or they need to escalate the report to Jira again.
If you're managing or are a part of many programs, you can now search the inbox by program name with our new search field. The search field is visible for everyone who is a part of 5 or more programs.
We added the new Bookmarked program filter to the My Programs tab so that hackers can view their bookmarked programs on the same page.
We added an Experience by vulnerability type section to the Overview page of the Hacker Dashboard so that hackers can see the analytics of which vulnerability types they're most successful in finding.
We modified the layout of the profile section of the Hacker Dashboard and also expanded it with metrics on resolved reports that enables hackers to understand the percentage of their report submissions that are resolved.
We've redesigned the hacker profile page to simplify the UI. In doing so, we've deprecated the Thanks tab and put the Thanks section at the bottom of the profile page.
We've revamped the Notification Preferences page and added new settings so that all users can better customize their report notifications to reduce noise from unwanted notifications.
We've deprecated the Follow button on the Program Page and replaced it with a Bookmark button. We also moved the Subscribe button from the bottom of the Program Page and moved it to the top next to the new Bookmark button so that hackers can easily subscribe to program updates and add programs to their bookmarked program list on their dashboard.
![unchecked buttons](./images/oct_2019_bookmark_subscribe_button_1 .png)
We've released the following improvements to our API:
We've released these new endpoints to our API:
We've released these new endpoints to our API:
You can now better preview programs when hovering over program names with our revamped hover state profile popup. You can quickly view important information regarding the program when hovering over the program name on these pages:
We've redesigned the program profile pages to give them a sleeker look.
It can take a long time to set up Target Scope in Burp Suite, especially for programs with long or complicated scopes. Now you can download a Burp Suite project file to link HackerOne scope to the Burp Suite Target Scope.
We've updated the structured scopes table on the program policy page with a new bounty eligible and ineligible icon to clearly show which assets are eligible and ineligible for bounties.
You can convert attachments to be internal for all redactable reports in the Convert attachments to internal-only section when redacting a report.
After the beta launch in March, all hackers can now subscribe to receive notifications from program updates.
You can also now set your notification preferences under the new Notification Preferences page in your user settings.
Easily find all reports you've been mentioned in to keep track of which reports need a response from you with our new mentions filter.
After the beta launch in March, custom fields is now available to all Enterprise programs.
We introduce the new Also mark as ineligible for bounty checkbox so that programs can now mark a report as being ineligible for bounty when awarding swag.
Programs are also able to now award swag to reports that are marked as ineligible for bounty.
Say goodbye to the old notifications indicator next to your profile icon. We introduce a new bell icon to notify you of any new notifications. If you have more than 25 unread notifications, we've truncated the notifications number to be capped at 25+.
Say goodbye to having to always re-select how you want your inbox sorted. Your selected sort order will now automatically save when creating your custom inbox view.
You can now filter through your inbox reports by submission date in order to quickly find reports submitted after or within a certain time.
The new Group Members filter enables you to search for reports by individual members within a group. Previously, you couldn’t see which members were assigned to which reports within the group. This enables you to better keep track of reports and the individuals assigned to them.
We’ve deprecated the Insights tab from program pages.
We’ve revamped the Program Dashboard with new metric tables and charts that give better insight into reporting and analytics for programs.
We've added these improvements to the bi-directional Jira integration:
The HackerOne to Jira escalation template now includes all additional fields that are either a type of
date. This enables Jira users to have all fields in Jira be mapped to a value from the HackerOne report. All available Jira fields will automatically be pulled from the selected issue type.
Jira users can now sync attachments from their HackerOne report to Jira by selecting Synchronize attachments in the Select HackerOne to Jira events section when configuring their Jira integration.
Jira users can now select which Jira closed issue status should result in the closure of the HackerOne report.
With severity to priority mapping, Jira users can map HackerOne severity ratings to the priority fields they have in Jira. This enables the right priority to be set when escalating a report to Jira.
We've revamped the My Stats section of the Hacker Dashboard with expanded graphs where you can view your bounties, reports, and reputation over time. We've also included a new My top earning programs section to help hackers see which programs they're earning the most bounties from.
Programs can now select to notify their subscribers of changes in their Policy and Scope settings pages with our new Notify subscribers of changes checkbox. The checkbox can be found for changes to these pages:
You can now view previous changes made on bounty tables for all programs to see what's been changed over time with our bounty table versions page. Click on View changes on the Rewards section of the program policy page to access the versions page.
We introduce custom fields to enable programs to add custom information to their reports to help them better manage and analyze their internal data by the categories that they define to be important. This feature is only available for Enterprise programs.
We've also added custom fields to the API to enable programs to search and filter reports by custom field values.
Select hackers now receive program notifications to all program updates via the product and email for changes to the:
We've also implemented a new Subscribe button on the policy page to enable hackers to easily subscribe to program notifications. Note: The button is currently viewable for select hackers.
We've deprecated the Custom recipient field on the Message Hackers page as the feature wasn't found to be very valuable for programs.
Programs can now opt-in to purchase a bundle of retests with their HackerOne subscription. With bundles, programs are no longer charged the processing fee for each bounty, and can also opt-in to purchase more retests when they run out.
We’ve renamed the Accepted Invitations page on the Hacker Dashboard to now be called My Programs. We’ve also revamped the page so that hackers can better manage all of the programs they’re a part of by including:
We've renamed the Getting Started page to now be called Overview. We provide new hackers that haven't submitted any vulnerabilities with a getting started checklist with 4 tasks to complete to guide them to be more successful on the platform.
After hackers have submitted their first vulnerability, they'll be able to view statistics for these personal metrics on their Overview page:
We introduce the new Getting Started page on the Hacker Dashboard. This will guide hackers and direct them to the right pages to help them get the information they need to successfully start out on HackerOne
Want all of your report data for safe keeping or just for analytical purposes? Programs can now export all of their reports through our new Export Reports feature.
Jira users can now link their HackerOne reports to their existing Jira tasks.
Jira users can also now select from multiple projects they want their Jira task to link to.
Hackers in India will no longer lose a portion of their bounty to transfer fees as we now support payments to Indian Rupees.
When new users sign up to use HackerOne, they can can now more clearly distinguish whether they are a hacker or a company wanting to set up an account.
You can now clearly define whether you're a hacker or someone running a program within the new Account Preferences tab under your profile settings. This will help tailor your HackerOne experience to better fit your needs.
We've now implemented infinite scrolling on multiple pages so that you no longer have to click on the Load more button to view more information. The information now automatically populates.
We've globally launched these 2 previously beta features:
These features are now open for qualifying programs to opt-in to.
We've totally revamped our directory page so that you can better search and view programs. You can now filter your search results by program features and by asset type, and we also enable you to view various stats for each program on one page.
You can now bookmark your favorite programs on the directory by starring them.
Our new Hacker Dashboard enables hackers to better manage and review their:
We now enable you to search within Hacktivity. You can search for reports regarding programs and weaknesses you're interested to read about in the search bar to better learn how specific weaknesses were exploited in various programs.
We've deprecated the term "Public Disclosure" and now simply just call it Disclosure.
Private programs can now opt-in to enable hackers to disclose reports to other hackers within their program. Upon disclosure, contents of the report will only be visible to participants within that private program. This enables hackers to share their vulnerability findings with other hackers in the program, and can also increase awareness for other hackers as they can better see what vulnerabilities have already been found for the program.
We now enable you to cancel disclosure requests. You can cancel your own requests, and hackers and programs can cancel the requests they receive from one another if they choose not to disclose a report.
Hacker101 CTF is now linked to your HackerOne account. Every time you earn 26 points in the CTF, you’ll be put in the priority queue to receive invitations to private programs. We also enable you to create your own groups to manage hackers working through the CTF.
We added a new activities API endpoint that enables you to fetch all activities of your program incrementally by time. Learn more about the activities endpoint.
Hackers can now configure the HackerOne Gateway (VPN) and access their Gateway (VPN) credentials for Gateway (VPN) enabled programs.
We've globally launched our retesting feature so that all programs can now initiate retests on any of their resolved reports. Invitations for retests now expire after 24 hours, and hackers are now required to provide a short summary of how they retested the vulnerability. Hackers can also provide attachments of their findings.
Programs can now elect to invite hackers to retest their vulnerabilities to verify fixes. Each hacker that participates in the retest will receive a $100 bounty upon completion. Learn more about retesting.
Programs can now require hackers to have two-factor authentication enabled in order to submit new reports to their program.
We've also renamed the Signal Requirements page under Settings > Program > Hacker Management to now be called Submission.
Programs can now embed the HackerOne report submission form onto their own website. This enables hackers to submit reports without having to create an account on HackerOne. Learn more here.
Anyone can now review and manage their active HackerOne sessions on all of the devices they're signed in to on the new Sessions page.
We've enabled the beta Credential Management feature so that select programs can share credentials with hackers through the HackerOne UI. This enables hackers to quickly retrieve the credentials needed to find vulnerabilities.
We now enable hackers to publish their findings from external sources that don't have HackerOne programs. Click here to learn more.
Hackers now have the ability to set up two-factor authentication to add an extra layer of protection to their accounts.
Programs can now filter reports with these new inbox filters:
We introduce the insights page to provide hackers with helpful statistics about programs they're contemplating to hack on. The information is provided to help hackers focus their efforts on the right assets for the right programs. Categories of insights include:
All hackers now have an email alias that forwards emails to the email address they’ve registered with on HackerOne. This provides an easy way for programs to contact you in order to share credentials and information without having to access your actual email address.
You can now sort notifications from oldest to newest and vice versa.
We've revamped the look of our Hacktivity feed so that it has a sleeker design. We've also deprecated the Top tab on Hacktivity.
No need to wait for reports to be resolved in order to increase reputation! We now enable hackers to gain reputation whenever their reports are marked as Triaged.
Instead of having programs manually create their own bounty table on the policy page using tedious markdown, we now enable them to easily generate their own bounty table with our new bounty table tool.
We introduce the new Hacker Feedback Dashboard where private programs can see the total feedback their program has received from hackers along with the reasons they’ve declined to participate in their program. The feedback can be viewed at Dashboard > Feedback. Learn more about the feedback dashboard.
We've revamped our triggers functionality so that you can:
We've also updated the design so that you'll have a better user experience.
We’ve deprecated the threatening term, Response SLA and replaced it with the more friendly terms, Response Targets and Response Standards. Learn more about these new terms.
We’ve deprecated the SLA Violations inbox view and changed the name to Missed targets. The inbox filters are also now Missed response targets and Missed response standards instead of SLA violation reports and SLA Fail reports.
We introduce 4 new inbox labels for reports that don’t meet response standards or targets. The labels are: Response, Triage, Bounty, and Resolve. These labels replace the previous SLA Fail and SLA Miss labels.
The fields on the Reponse Target performance section of the Program Health dashboard have changed to On target, Missed target, and Missed standard. The missed target line is also taken off of the Average Time to Resolution graph on the dashboard.
We’ve modified response efficiency indicators so that:
We now enable you to set your Time to Resolution response standards by severity. Learn more here.
Programs no longer have the ability to toggle invitations on or off with the On/Off button. The equivalent action to turn invitations off is to set the report volume to 0 if they no longer wish to engage with new hackers. To turn invitations on, just increase the report volume to be greater than 0.
Policy and Scope now have their own separate sections under Settings > Program.
The new rolling 90 day leaderboard ranks hackers based on their score from this calculation: Reputation x Signal Percentile x Impact Percentile.
When a program member adds a comment to an open report with a question mark, Hackbot will prompt them asking if they want to change the state of the report to Needs more info.
Response efficiency timers no longer trigger for reports submitted by internal members of the program.
Programs in controlled launch mode are no longer able to toggle auto-invites as on or off. To change their settings for invitations, they can contact HackerOne support.
We’ve improved the way programs can manage their invitations to hackers. You can now set a report volume target where we’ll monitor and manage your hacker invitations to help you meet your report goal.
The Invite Hackers tab under Settings > Program > Hacker Management has been renamed to Invitations.
The Invitations page includes the new Report Volume field where you can enter the number of reports you'd like to receive in 30 days.
Reports in the Needs More Info state that haven’t been responded to within 30 days automatically get closed with no negative impact to the hacker’s reputation.
Response Programs in Controlled Launch that meet all of the success criteria are now prompted to publicly launch their own program through following the Setup Guide or through email notification.
Response SLA settings are now applied to all reports and not just reports created after modification to SLA settings.
Response SLA settings are also now incorporated into Controlled Launch for Response programs. Programs must’ve received at least 10 reports and invited 100 hackers while maintaining healthy responsive times before launching publicly.
The new Program Health Dashboard helps programs track their Response Efficiency Metrics and Response SLA performance. Go to Dashboard > Program Health to view your metrics.
Programs can now see their response efficiency indicator in their program dropdown. This enables them to see their response efficiency status without having to visit their security page.
The notifications corner now pings hackers about new invitations.
Hackers can also see their invitations on the program's profile page. This reminds hackers of their invitation when they go to look at the program.
The new Pending Invitations page enables hackers to view all of their pending invites in one place so that they can see all the invitations they need to take action on.
When Hackers reject an invite, they are given the opportunity to fill out a questionnaire to provide HackerOne with feedback on why they decided to reject the program invitation. The questionnaire shows up directly after hackers reject the invitation.
The Leave Program button is updated to be on the sidebar of the program’s security page. Hackers that leave the program also also get an invitation to fill out the rejection questionnaire.
Hackers that submit the rejection questionnaire are placed at the top of the queue for the next program invitation they qualify for.
The notification to private invites is updated so that it doesn't look like a program member invite.
The Response Efficiency box is updated on the program security page to show that metrics are averages of the last 90 days.
There is now a response indicator in the Response Efficiency box of the program's security page to show how healthy a program is. The indicators are either green, orange, or red dots.
We enable programs to utilize the expertise of HackerOne Security Analysts to review those pesky invalid reports so that programs don’t have to deal with them. Learn more about Human Augmented Signal.
You can now set your response service level agreements (SLAs) for time to first response, time to triage, time to bounty, and time to resolution. What do all these terms mean? Find out here.
We now display a colored indicator on a program's security page to show hackers how responsive a program is to report submissions.
If you forget which reports aren't meeting your response SLAs, we now have SLA Miss and SLA Fail labels as well as a new SLA Violations view in your inbox to show which reports need action.
Want to take a break or need time to catch up on existing reports? Programs can now pause from accepting new report submissions.
We now enable you to attach pictures and other files to your policy. Simply go to your program's Settings > Policy and there will be a field where you can upload your files. We've got a nice giph on ours. Check it out.
The Directory page now includes pink and purple lightning icons to highlight programs that are:
We also include a Managed badge to identify programs that are managed by HackerOne.
Organizations now have the ability to payout and suggest bounties and swag using their internal systems via the API. You can view the API documentation for this here.
We've revamped our Slack integration so that programs can have:
Read our blog post and learn how to set up Slack integration.
We now enable programs to have this feature that enables hackers to split bounties with other hackers that helped them find the vulnerability.
Hackers can now receive payments through Bank Transfers via CurrencyCloud. This enables them to get paid out in 30 different currencies to almost any country in the world.
Programs can now define their scope and the list of assets they want hackers to test. This controls what reports can be submitted and helps to prevent noise. Don’t know what a scope is? Learn more here.
Programs now have the ability to review their hackers and to comment on their behavior. Learn more about hacker reviews.
We now provide programs with a two-way integration that syncs changes between HackerOne and Phabricator.
During hackathon events, programs can now filter reports in their inbox specific to the hackathon so that these reports can be focused on.
We’ve updated the words programs encounter when they onboard onto our platform to reflect our new product changes.
Program administrators now have the ability to enforce notification settings for all members of their program. This ensures that members only receive notifications for the reports they’re subscribed to, instead of being spammed for things that don't apply to them.
We’ve automated our daily Coinbase payouts so that we don’t have to manually do the work and all hackers receiving payments through Coinbase will be paid at a consistent time every day at 11pm UTC.
We now provide a bi-directional Jira Integration where Jira users can sync specific workflows from Jira to HackerOne and vice versa, from HackerOne to Jira.
Organizations running multiple programs are now able to transfer reports between programs to make sure the vulnerability is associated with the correct program.
You can now filter your reports by specific weaknesses in your inbox.
We've implemented a hacker VPN that:
Contact HackerOne to participate in this beta.
We've updated our vulnerability taxonomy to include a more complete weakness suite based on the industry-standard Common Weakness Enumeration (CWE). This provide a much more complete and accurate description of a reported vulnerability, and more importantly, it adopts a common language that is endorsed by the security community.
HackerOne will now triage and validate disclosure assistance vulnerability reports by severity in order to expedite the disclosure assistance process.
We’ve added a ‘Needs first response’ filter to the inbox so that all reports that are still waiting on a public response to the hacker. This helps programs to optimize their time to first response.
All program users of the HackerOne API are now enabled to choose to award a bounty for a report that was submitted externally to their HackerOne Security Inbox.
We now provide native support for custom integrations with non-financial reward programs such as paying bounties in airline miles. The first user of these new rewards is Lufthansa, which awards bounties in the form of their “Miles and More” program. Please contact your Account Manager for additional information.
We now surface report trigger matches in internal comments to help programs triage a report faster.
We enable vulnerability emails sent to programs’ security@ emails to automatically be forwarded as a report in your HackerOne inbox.
We now enable users to create and save their own custom View in their inbox.
We now enable programs to set up a trigger for when their balance falls below a certain amount.
We now enable hackers to attach videos to their vulnerability reports.
We now set clearer expectations for self-managed programs that decide to publicly launch their program without having met the launch criteria. We supply warning messages showing that the program hasn’t met the recommended criteria and also require them to select the checkbox acknowledging that they haven’t met the criteria but still want to launch publicly.
When programs award a bounty, we now automatically show them the median, competitive, and top level bounty across the platform for the severity of the vulnerability they are awarding a bounty for. This helps programs to gauge their reward competitiveness and to be as consistent as possible in awarding bounties.
We now enable programs to filter reports in their inbox by severity.
Programs can now redact sensitive information from reports in a self-service manner.
We’ve created a new Program Updates tab on the program security page. Programs can publish and persist updates to their hackers like a mini blog on this tab.
We’ve implemented monthly digest report emails so that if a user is a member of an active HackerOne program, they’ll be able to see how their program is performing and gain insight into any changes to their program. They’ll receive this email every first business day of the month.
The new Hacker Skills feature enables hackers to identify their skill set which enables them to qualify for invitations specific to their skill sets. Each skill a hacker puts will be verified by HackerOne.
We enable programs to set internal Service Level Agreements (SLAs) by configuring the amount of time that can elapse before a report is marked for their program.
We enable you to change the state of a report through utilizing our API.
We provide a new export option where you can download the contents of the report and all attachments in a single zip archive.
We’ve improved HackBot to suggest single-click actions, such as:
We introduce the ability for both hackers and security teams to set severity via CVSS. Read our blog post or docs article to learn more.
We now display a warning message if your report references an attachment but no attachments are found.
We’ve totally revamped our Thanks page on the hacker profile so that all the programs hackers have made contributions to, are now listed in the order of most reputation earned. We also display for each program:
You can now lock reports to prevent new comments on publicly disclosed reports.
Programs can now assign reports to team members using the API. See the API documentation for how to assign a report here.
We’ve created a notifications page so that you can have a clear overview of your notifications. Go to https://hackerone.com/notifications to see your notifications.
Hackers can now filter reports in their inbox by program using the Reported to field so that they don't have to filter through reports with their own eyes.
Programs now have the ability to further customize their report submission form by choosing and customizing a report template that pre-populates the Issue information field. Learn more about report templates.
We’ve updated the Billing page so that programs can now:
Programs can now edit the vulnerability type of a report after the report has been submitted. This is to correctly associate a report with the right vulnerability type if a hacker selected the wrong one.
Hackers can now see when the policy was last changed and view all policy changes on a program’s Security Page.
We’ve adjusted our reputation system so that reports marked as “Needs More Information” doesn’t result in a -1 reputation hit.
We now display all reports hackers have on hacktivity onto their profile page.
Users can now upvote reports that they’re interested in in order to create a “Popular” sorting on Hacktivity where reports with the most upvotes are featured on top.
We’ve deprecated the Thanks page at https://hackerone.com/thanks and turned it into a hacker leaderboard that’s segmented into more granular time periods and sortable by Signal, Impact, and Reputation. See who’s on top here.
Hackers can now receive badges when they meet certain criteria or achieve certain events to showcase on their profile.
We introduce the first version of the HackerOne API to empower programs to build custom metrics and dashboards. Learn more about our API Documentation.
We’ve cleaned up the UI to Invite Hackers so that it’s clear that there’s a single call-to-action to privately launch a program by turning automatic invitations on.
Programs now have the ability to publicly share Time Metrics and Reward Metrics. These metrics include:
We now enable programs to make payments using their credit card through our Stripe Integration.
We now enable private programs to configure a minimum threshold for their report volume under which new hackers will be automatically invited.
We’ve redesigned Hacktivity so that we surface educational reports from interesting hackers.
All reports now include a header with summarized stats on the hacker who submitted the report. The new header fields include:
All reports, including those marked as Not Applicable, Duplicate, and Spam can now be publicly disclosed when both the hacker and the program agree to disclose the report.
Hackers can now request mediation when they get into a disagreement with a program’s security team.
Users can now filter the directory by programs offering bounties. Type
bounties:yes into the search bar to only view the bounty programs in the directory.
We now support message threading for notification emails so that similar emails are grouped together.
We introduce the ability for programs to award a structured bonus in addition to the standard bounty for a vulnerability. Read about it in our blog.
We give programs the ability to tune the Rate Limiter by specifying minimum Signal Requirements for hacker participation. We’ve also updated the Rate Limiter to incorporate additional intelligent inputs.
We’ve overhauled the hacker invitation process so that hackers with the highest Reputation, Signal, and Impact will have a greater likelihood of being invited to private programs. Read our blog post to learn more about how invitations work.
We enable programs and hackers to now add inline image attachments to reports and comments.
Programs can now customize their report submission forms with their own introduction text and the ability to hide and disable vulnerability types.
Hacker profiles now include a Thanks page that lists all programs the hacker has submitted vulnerability reports to. For example, check out: https://hackerone.com/atom/thanks
We introduce Signal and Impact so that there can be a more granular understanding of hacker performance. Read our blog post or check out our doc to learn more.
We add these new default views to the inbox to better organize reports:
If the response team has evidence of active exploitation or imminent public harm, they can immediately provide remediation details to the public so that programs can take protective action.
Programs and hackers can now preview image attachments on the report form.
We introduce the HackerOne Success Index - a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs. The index calculates 6 dimensions by which programs can benchmark their success each month. Learn more here.
We provide hackers with the ability to request help in contacting an organization with a vulnerability through Disclosure Assistance. This enables HackerOne to take steps to identify the organization’s official vulnerability reporting process. Read more in our blog.
We’ve updated our triggers functionality so that an interstitial shows prior to report submission. This helps hackers to avoid the submission of a number of out-of-scope or commonly reported false positives.
We’ve updated our report classification engine to detect common outputs from automated vulnerability scanners that are frequently flagged as invalid. This enables the quality of report submissions to improve as hackers can check the report before submission.
We’ve improved our Single-Sign-On (SSO) options with support for SAML. Response teams using an SSO provider to authenticate can use those services for centralized authorization and identity management.
There’s now a reward suggestion functionality where program members can suggest bounty amounts. This enables programs to more easily arrive at a consensus regarding award amounts.
If any disagreements or discussions arise regarding a report, hackers and programs can now request mediation and our experts will provide guidance on the situation.
The group assignments feature enables programs to assign reports to a team rather than just to an individual so that multiple people within a team have the ability to pick up the report.
We’ve updated the styling between the report meta data and the summary/timeline so that the report meta data is now collapsible.
We’ve added integrations with:
Read more about how these integrations work here.
We introduce the Vulnerability Coordination Maturity Model which helps programs increase their dependence on internet-connected software. Learn more about this model in our blog post.
We’ve added integrations for ServiceNow and Assembla.
We’ve integrated tax forms into our product so that hackers can quickly sign them to get paid.
HackerOne program administrators can set access rights for different team members who might play different roles on your team. Learn more here.
With our new Message Researchers feature, programs can now send messages directly to hackers to update them on scope changes, bounty awards, or to just connect with them.
When an organization chooses to publicly disclose a vulnerability report, there’s now the option to write a summary along with a partial timeline.
We introduce the HackerOne Directory - a community-curated resource to identify the best way to contact an organization’s security team.
We now enable you to integrate HackerOne with GitHub.
Programs and hackers can now summarize the content of a public disclosure in the summary field.
We now enable programs to award hackers with swag or physical objects.
Hackbot is now able to detect duplicate and related reports to help programs associate and close reports more quickly.
We now enable hackers to self-close their own reports if they discover that it’s no longer relevant. This won’t impact their reputation.
We’ve redesigned the security inbox to enable faster bug processing for programs. The new inbox enables programs to open reports inline so you don’t have to click backward or forward to navigate between reports.
The new dashboard enables insight into your security response posture. This enables programs to be on top of response time, stale issues, pending disclosures and more.
We improve our bulk actions functionality so that it’s easier to apply the same action to multiple reports with a single click.
We introduce keyboard shortcuts to make the workflow more efficient with a faster navigation.
Our new inbox filtering search functionality enables programs and hackers to quickly target the bug they're looking for without having to scroll through their inbox.
We introduce these new integrations with HackerOne:
We introduce the new trigger option to change the report state to Needs more info.
We enable programs and hackers to export their reports as .CSV files to enable them to quickly generate a spreadsheet of selected reports with key details.
We enable programs to configure IP allowlists to control which IP ranges their program members must be coming from in order to access HackerOne.
We introduce private programs to hackers that are only accessible through invitations.