Changelog

See what's changed or new in HackerOne.

August 2018

Publishing External Vulnerabilities (beta)

We now enable select hackers to publish their findings from external sources that don't have HackerOne programs. Want to learn more or join the waitlist? Click here to learn more. aug-2018-publishing

Two-Factor Authentication

Hackers now have the ability to set up two-factor authentication to add an extra layer of protection to their accounts. aug-2018-2fa

Inbox Filters

Programs can now filter reports with these new inbox filters:

  • No weakness
  • No asset
  • With references
  • Without references aug-2018-inbox-filters

Insights (beta)

We introduce the insights page to provide hackers with helpful statistics about programs they're contemplating to hack on. The information is provided to help hackers focus their efforts on the right assets for the right programs. Categories of insights include:

  • Bounties
  • Reports
  • Hacker Participation
  • Top 10 vulnerabilities
  • Scope Severities insights

July 2018

Hacker Email Alias

All hackers now have an email alias that forwards emails to the email address they’ve registered with on HackerOne. This provides an easy way for programs to contact you in order to share credentials and information without having to access your actual email address.

Sort Notifications

You can now sort notifications from oldest to newest and vice versa. july_2018_sort_notifications

Hacktivity Redesign

We've revamped the look of our Hacktivity feed so that it has a sleeker design. We've also deprecated the Top tab on Hacktivity. july_2018_hacktivity

Bug Fixes

  • Hackers that have submitted a report and left the program can now revisit the report without seeing any errors.
  • The reworded the notification for invites to private programs so that it's clear that it's an invitation.

June 2018

Reputation on Triage

No need to wait for reports to be resolved in order to increase reputation! We now enable hackers to gain reputation whenever their reports are marked as Triaged.

Bounty Tables

Instead of having programs manually create their own bounty table on the policy page using tedious markdown, we now enable them to easily generate their own bounty table with our new bounty table tool. june_2018

May 2018

Hacker Feedback Dashboard

We introduce the new Hacker Feedback Dashboard where private programs can see the total feedback their program has received from hackers along with the reasons they’ve declined to participate in their program. The feedback can be viewed at Dashboard > Feedback. Learn more about the feedback dashboard. may_2018

Triggers

We've revamped our triggers functionality so that you can:

  • Preview matches for a new trigger
  • Add And/Or conditionals to make the trigger more flexible
  • Edit or build off of default triggers

We've also updated the design so that you'll have a better user experience. may_2018_triggers

Response Targets

We’ve deprecated the threatening term, Response SLA and replaced it with the more friendly terms, Response Targets and Response Standards. Learn more about these new terms.

We’ve deprecated the SLA Violations inbox view and changed the name to Missed targets. The inbox filters are also now Missed response targets and Missed response standards instead of SLA violation reports and SLA Fail reports.

We introduce 4 new inbox labels for reports that don’t meet response standards or targets. The labels are: Response, Triage, Bounty, and Resolve. These labels replace the previous SLA Fail and SLA Miss labels. may_2018_label

The fields on the Reponse Target performance section of the Program Health dashboard have changed to On target, Missed target, and Missed standard. The missed target line is also taken off of the Average Time to Resolution graph on the dashboard.

Response Efficiency Indicators

We’ve modified response efficiency indicators so that:

  • They now let you know the program’s percentage of reports that meet response standards instead of the number of reports that are failing or missing SLAs.
  • The indicator and metrics are visible even when a member of the program is signed out.
  • The orange response efficiency indicator is now changed to yellow.
  • The indicator now occurs at the bottom of the metrics chart instead of at the top. may_2018_indicator

Time to Resolution by Severity

We now enable you to set your Time to Resolution response standards by severity. Learn more here. may_2018_severity

Invitations Toggle

Programs no longer have the ability to toggle invitations on or off with the On/Off button. The equivalent action to turn invitations off is to set the report volume to 0 if they no longer wish to engage with new hackers. To turn invitations on, just increase the report volume to be greater than 0.

Policy and Scope

Policy and Scope now have their own separate sections under Settings > Program.

Bug Fixes

  • The Managed label no longer shows up on the directory for programs with expired triage subscriptions.
  • The response standard percentage now displays when the display option setting is enabled. There were some incidences where it didn’t show in the past.
  • When a large user profile photo is uploaded, an error message is now given to the user to notify them that the upload has failed.
  • Social sharing icons on public programs are now aligned and work properly without any weird spacing issues between the icons.
  • Hackers no longer receive automatic invitations for programs they’ve left.

April 2018

The 90 Day Leaderboard

The new rolling 90 day leaderboard ranks hackers based on their score from this calculation: Reputation x Signal Percentile x Impact Percentile. april_2018_leaderboard

Needs More Info

When a program member adds a comment to an open report with a question mark, Hackbot will prompt them asking if they want to change the state of the report to Needs more info. april_2018_nmi

Response Efficiency Timers

Response efficiency timers no longer trigger for reports submitted by internal members of the program.

Auto-Invites for Controlled Programs

Programs in controlled launch mode are no longer able to toggle auto-invites as on or off. To change their settings for invitations, they can contact HackerOne support.

Bug Fixes

  • URLs in the report title are now wrapped so that they aren’t crossing out of the inbox.
  • The Program Health Dashboard now displays 0 instead of N/A when there are no missed or failed reports.
  • When a hacker leaves a program that they got invited to through the email forwarding feature, they won’t be placed in the priority queue for leaving that program. This prevents hackers from harvesting a ton of private invitations.
  • Hackers now don’t receive invitations to programs they’ve left.
  • When hackers received an invitation to claim a report, they couldn’t see or accept the terms of the program. Now they can actually claim the report and see the terms of the program.

March 2018

Invitations

We’ve improved the way programs can manage their invitations to hackers. You can now set a report volume target where we’ll monitor and manage your hacker invitations to help you meet your report goal.

The Invite Hackers tab under Settings > Program > Hacker Management has been renamed to Invitations.

The Invitations page includes the new Report Volume field where you can enter the number of reports you'd like to receive in 30 days.

Read more about Invitations. march_2018_invitations

Needs More Info

Reports in the Needs More Info state that haven’t been responded to within 30 days automatically get closed with no negative impact to the hacker’s reputation.

Self-Controlled Launch

Response Programs in Controlled Launch that meet all of the success criteria are now prompted to publicly launch their own program through following the Setup Guide or through email notification. march_2018_controlled_launch

Response SLA Settings

Response SLA settings are now applied to all reports and not just reports created after modification to SLA settings.

Response SLA settings are also now incorporated into Controlled Launch for Response programs. Programs must’ve received at least 10 reports and invited 100 hackers while maintaining healthy responsive times before launching publicly.

Program Health Dashboard

The new Program Health Dashboard helps programs track their Response Efficiency Metrics and Response SLA performance. Go to Dashboard > Program Health to view your metrics. march_2018_dashboard

Response Efficiency Indicator

Programs can now see their response efficiency indicator in their program dropdown. This enables them to see their response efficiency status without having to visit their security page.

Bug Fixes

  • Invite notifications don’t show up again for expired, declined, and duplicate invites.
  • The questions on the Invitation Rejection Questionnaire and the Leave Program Questionnaire no longer show duplicates.
  • The Time to Bounty timer now pauses when a report is closed as either N/A, Duplicate, Informative, or Spam.
  • The red response efficiency indicator tooltip now correctly states that the program has failed SLAs instead of missed SLAs.

February 2018

In-Product Notifications for Invites

The notifications corner now pings hackers about new invitations. feb_2018

Invitations on the Program’s Profile

Hackers can also see their invitations on the program's profile page. This reminds hackers of their invitation when they go to look at the program. feb_2018_2

Pending Invitations Page

The new Pending Invitations page enables hackers to view all of their pending invites in one place so that they can see all the invitations they need to take action on. feb_2018_4

Rejection Questionnaire

When Hackers reject an invite, they are given the opportunity to fill out a questionnaire to provide HackerOne with feedback on why they decided to reject the program invitation. The questionnaire shows up directly after hackers reject the invitation.

Leave Program Button

The Leave Program button is updated to be on the sidebar of the program’s security page. Hackers that leave the program also also get an invitation to fill out the rejection questionnaire.

Priority Queue

Hackers that submit the rejection questionnaire are placed at the top of the queue for the next program invitation they qualify for. feb_2018_3

Private Invite Notification

The notification to private invites is updated so that it doesn't look like a program member invite.

Response Efficiency Box

The Response Efficiency box is updated on the program security page to show that metrics are averages of the last 90 days.

Response Efficiency Indicator

There is now a response indicator in the Response Efficiency box of the program's security page to show how healthy a program is. The indicators are either green, orange, or red dots.

Bug Fixes

  • Hackers are no longer redirected to a deleted program after every login.
  • Programs can mark reports as being ineligible for bounty even though a hacker account is disabled.
  • The program health alerts are fixed so that you're not getting alerted when you have 0 reports failing SLAs.
  • Old resolved reports are no longer marked as SLA Fail or SLA Miss.

January 2018

Human Augmented Signal

We enable programs to utilize the expertise of HackerOne Security Analysts to review those pesky invalid reports so that programs don’t have to deal with them. Learn more about Human Augmented Signal.

Response SLAs

You can now set your response service level agreements (SLAs) for time to first response, time to triage, time to bounty, and time to resolution. What do all these terms mean? Find out here.

Response Efficiency Indicator

We now display a colored indicator on a program's security page to show hackers how responsive a program is to report submissions.

SLA Inbox Labels

If you forget which reports aren't meeting your response SLAs, we now have SLA Miss and SLA Fail labels as well as a new SLA Violations view in your inbox to show which reports need action. jan_2018

Pausing Report Submissions

Want to take a break or need time to catch up on existing reports? Programs can now pause from accepting new report submissions.

November 2017

Inline Image and Attachments on the Security Page

We now enable you to attach pictures and other files to your policy. Simply go to your program's Settings > Policy and there will be a field where you can upload your files. We've got a nice giph on ours. Check it out. nov_2017

October 2017

Controlled Launch for Response Programs

We've revamped the on-boarding experience for new response programs by guiding them through a step by step setup process that prepares them for public launch. oct_2017

September 2017

Report Submission Template

What...do...I...write? We've updated the blank report submission form with a template of what a good report write-up should entail. This'll guide hackers on how to write up a good report.

August 2017

Directory Icons and Program Badges

The Directory page now includes pink and purple lightning icons to highlight programs that are:

  • Fast to respond with a first response in <48 hours on average
  • Fast to award by giving a bounty <14 days after submission

We also include a Managed badge to identify programs that are managed by HackerOne. sep_2017

Paying out Bounties via the API

Organizations now have the ability to payout and suggest bounties and swag using their internal systems via the API. You can view the API documentation for this here.

Slack Integration 2.0

We've revamped our Slack integration so that programs can have:

  • Granular notification filtering
  • Support for multiple channels
  • Notifications when a username is mentioned aug_2017_2

Read our blog post and learn how to set up Slack integration.

Bounty Splitting

We now enable programs to have this feature that enables hackers to split bounties with other hackers that helped them find the vulnerability.

July 2017

Bank Transfers via CurrencyCloud

Hackers can now receive payments through Bank Transfers via CurrencyCloud. This enables them to get paid out in 30 different currencies to almost any country in the world. july_2017_2

Scope

Programs can now define their scope and the list of assets they want hackers to test. This controls what reports can be submitted and helps to prevent noise. Don’t know what a scope is? Learn more here. july_2017

Hacker Reviews

Programs now have the ability to review their hackers and to comment on their behavior. Learn more about hacker reviews.

Bi-Directional Phabricator Integration

We now provide programs with a two-way integration that syncs changes between HackerOne and Phabricator. july_2017_3

Hackathon Inbox Filter

During hackathon events, programs can now filter reports in their inbox specific to the hackathon so that these reports can be focused on.

Onboarding Changes

We’ve updated the words programs encounter when they onboard onto our platform to reflect our new product changes.

June 2017

Admin Notification Control

Program administrators now have the ability to enforce notification settings for all members of their program. This ensures that members only receive notifications for the reports they’re subscribed to, instead of being spammed for things that don't apply to them.

Automated Daily Coinbase Payouts

We’ve automated our daily Coinbase payouts so that we don’t have to manually do the work and all hackers receiving payments through Coinbase will be paid at a consistent time every day at 11pm UTC.

May 2017

Bi-Directional Jira Integration

We now provide a bi-directional Jira Integration where Jira users can sync specific workflows from Jira to HackerOne and vice versa, from HackerOne to Jira. may_2017_jira

Move Report Between Programs

Organizations running multiple programs are now able to transfer reports between programs to make sure the vulnerability is associated with the correct program.

Filter Reports by Weakness

You can now filter your reports by specific weaknesses in your inbox. may_2017

Beta Hacker VPN

We've implemented a hacker VPN that:

  • Controls traffic to in scope program assets
  • Enforces granular access controls with a 1:1 mapping between an individual hacker and a static IP
  • Pauses individual hacker access without interruption to the overall program
  • Integrates with a program's monitoring tools to have full visibility into program activity

Contact HackerOne to participate in this beta.

April 2017

Personalized Invitation Messages

Hacker invitations can now be personalized with a personal message to the hacker(s) receiving the invitation. april_2017

March 2017

CWE Weakness for Vulnerability Types

We've updated our vulnerability taxonomy to include a more complete weakness suite based on the industry-standard Common Weakness Enumeration (CWE). This provide a much more complete and accurate description of a reported vulnerability, and more importantly, it adopts a common language that is endorsed by the security community. march_2017

Disclosure Assitance with Vulnerability Report

HackerOne will now triage and validate disclosure assistance vulnerability reports by severity in order to expedite the disclosure assistance process.

February 2017

"Needs First Response" Inbox Filter

We’ve added a ‘Needs first response’ filter to the inbox so that all reports that are still waiting on a public response to the hacker. This helps programs to optimize their time to first response. feb_2017_first_response

Award Bounty for External Reports

All program users of the HackerOne API are now enabled to choose to award a bounty for a report that was submitted externally to their HackerOne Security Inbox.

Custom Integrations for Non-Financial Bounties

We now provide native support for custom integrations with non-financial reward programs such as paying bounties in airline miles. The first user of these new rewards is Lufthansa, which awards bounties in the form of their “Miles and More” program. Please contact your Account Manager for additional information. feb_2017_custom_bounties

Report Trigger Matches

We now surface report trigger matches in internal comments to help programs triage a report faster.
feb_2017_report_triggers

January 2017

Security@ Email Forwarding

We enable vulnerability emails sent to programs’ security@ emails to automatically be forwarded as a report in your HackerOne inbox.
jan_2017_email_fwd

Custom Inbox Views

We now enable users to create and save their own custom View in their inbox. jan_2017_inbox_views

Trigger for Low Bounty Balance

We now enable programs to set up a trigger for when their balance falls below a certain amount. jan_2017_bounty_balance

Inline Video Attachments

We now enable hackers to attach videos to their vulnerability reports.

December 2016

Clarify Public Launch Expectations

We now set clearer expectations for self-managed programs that decide to publicly launch their program without having met the launch criteria. We supply warning messages showing that the program hasn’t met the recommended criteria and also require them to select the checkbox acknowledging that they haven’t met the criteria but still want to launch publicly. dec_2016_public_launch

Bounty Statistics

When programs award a bounty, we now automatically show them the median, competitive, and top level bounty across the platform for the severity of the vulnerability they are awarding a bounty for. This helps programs to gauge their reward competitiveness and to be as consistent as possible in awarding bounties. dec_2016_bbstats

Filter by Severity

We now enable programs to filter reports in their inbox by severity. dec_2016_filter_severity

Redact Sensitive Information from Reports

Programs can now redact sensitive information from reports in a self-service manner. dec_2016_redact_info

Program Updates

We’ve created a new Program Updates tab on the program security page. Programs can publish and persist updates to their hackers like a mini blog on this tab. dec_2016_program_updates

Monthly Digest Report

We’ve implemented monthly digest report emails so that if a user is a member of an active HackerOne program, they’ll be able to see how their program is performing and gain insight into any changes to their program. They’ll receive this email every first business day of the month. dec_2016_monthly_digest

November 2016

Hacker Skills

The new Hacker Skills feature enables hackers to identify their skill set which enables them to qualify for invitations specific to their skill sets. Each skill a hacker puts will be verified by HackerOne. nov_2016_hacker_skills

Configure SLAs for Triage and Resolution

We enable programs to set internal Service Level Agreements (SLAs) by configuring the amount of time that can elapse before a report is marked for their program. nov_2016_configure_sla

Change Report State via API

We enable you to change the state of a report through utilizing our API.

Export as .zip

We provide a new export option where you can download the contents of the report and all attachments in a single zip archive. nov_2016_export_zip

October 2016

Hackbot Improvements

We’ve improved HackBot to suggest single-click actions, such as:

  • Creating a common response
  • Integrating with an issue tracker
  • Creating a trigger oct_2016_hackbot

CVSS for Severity

We introduce the ability for both hackers and security teams to set severity via CVSS. Read our blog post or docs article to learn more. oct_2016_cvss

No Attachment Warning

We now display a warning message if your report references an attachment but no attachments are found. oct_2016_no_attachment

Hacker Profile: Thanks Page Improvements

We’ve totally revamped our Thanks page on the hacker profile so that all the programs hackers have made contributions to, are now listed in the order of most reputation earned. We also display for each program:

  • The number of valid and closed reports the hacker has
  • The reputation earned
  • The rank of the hacker oct_2016_hacker_profile_thanks

September 2016

Lock Reports

You can now lock reports to prevent new comments on publicly disclosed reports. sep_2016_lock_report

Assign Report Through API

Programs can now assign reports to team members using the API. See the API documentation for how to assign a report here.

Notifications Page

We’ve created a notifications page so that you can have a clear overview of your notifications. Go to https://hackerone.com/notifications to see your notifications. sep_2016_notifications_page

Filter Inbox by Program

Hackers can now filter reports in their inbox by program using the Reported to field so that they don't have to filter through reports with their own eyes. sep_2016_filter_inbox

August 2016

Report Submission Template

Programs now have the ability to further customize their report submission form by choosing and customizing a report template that pre-populates the Issue information field. Learn more about report templates.

Billing Page Improvements

We’ve updated the Billing page so that programs can now:

  • Filter by date ranges
  • View partial invoices of the current month
  • View balance and credit amounts

July 2016

Edit Vulnerability Type

Programs can now edit the vulnerability type of a report after the report has been submitted. This is to correctly associate a report with the right vulnerability type if a hacker selected the wrong one. july_2016_edit_vuln_type

Policy Versioning

Hackers can now see when the policy was last changed and view all policy changes on a program’s Security Page. july_policy_versioning

No More Negative Reputation for “Needs More Info”

We’ve adjusted our reputation system so that reports marked as “Needs More Information” doesn’t result in a -1 reputation hit.

Hacktivity on Hacker Profiles

We now display all reports hackers have on hacktivity onto their profile page.

June 2016

Hacktivity Upvoting

Users can now upvote reports that they’re interested in in order to create a “Popular” sorting on Hacktivity where reports with the most upvotes are featured on top. june_2016_upvoting

Hacker Leaderboard

We’ve deprecated the Thanks page at https://hackerone.com/thanks and turned it into a hacker leaderboard that’s segmented into more granular time periods and sortable by Signal, Impact, and Reputation. See who’s on top here. june_2016_leaderboard

Badges

Hackers can now receive badges when they meet certain criteria or achieve certain events to showcase on their profile. june_2016_badges

API Documentation

We introduce the first version of the HackerOne API to empower programs to build custom metrics and dashboards. Learn more about our API Documentation.

UI Improvements to Default Automatic Invitations

We’ve cleaned up the UI to Invite Hackers so that it’s clear that there’s a single call-to-action to privately launch a program by turning automatic invitations on. june_2016_automatic_invites

May 2016

Security Page Metrics

Programs now have the ability to publicly share Time Metrics and Reward Metrics. These metrics include:

  • Mean Time to Response
  • Mean Time to Resolution
  • Mean Time to Bounty
  • Mean Bounty Amount
  • Median Bounty Amount
  • Total Bounties Paid may_2016_sec_page_metrics_1

Credit Card Payments - Stripe Integration

We now enable programs to make payments using their credit card through our Stripe Integration.

April 2016

Automatic Invitations for Private Programs

We now enable private programs to configure a minimum threshold for their report volume under which new hackers will be automatically invited.

Hacktivity Redesign

We’ve redesigned Hacktivity so that we surface educational reports from interesting hackers. april_2016_hacktivity_redesign2

Hacker Header on Reports

All reports now include a header with summarized stats on the hacker who submitted the report. The new header fields include:

  • The hacker name
  • Reputation
  • Rank
  • Signal
  • Signal Percentile
  • Impact
  • Impact Percentile april_2016_hacker_header

March 2016

Mutual Disclosure of All Reports

All reports, including those marked as Not Applicable, Duplicate, and Spam can now be publicly disclosed when both the hacker and the program agree to disclose the report.

Request Mediation for Hackers

Hackers can now request mediation when they get into a disagreement with a program’s security team. march_2016_mediation

Filter Directory by Programs Offering Bounties

Users can now filter the directory by programs offering bounties. Type bounties:yes into the search bar to only view the bounty programs in the directory. march_2016_filter_directory

Threading for Notification Emails

We now support message threading for notification emails so that similar emails are grouped together.

Award Bonus

We introduce the ability for programs to award a structured bonus in addition to the standard bounty for a vulnerability. Read about it in our blog. march_2016_award_bonus

Improved Rate Limiter & Signal Requirements

We give programs the ability to tune the Rate Limiter by specifying minimum Signal Requirements for hacker participation. We’ve also updated the Rate Limiter to incorporate additional intelligent inputs. march_2016_rate_limiter

Hacker Invitations by Priority

We’ve overhauled the hacker invitation process so that hackers with the highest Reputation, Signal, and Impact will have a greater likelihood of being invited to private programs. Read our blog post to learn more about how invitations work.

Inline Image Attachments

We enable programs and hackers to now add inline image attachments to reports and comments. march_2016_inline_image

February 2016

Hacker Invitation Preferences

Hackers now have the ability to manage their invitation preferences for private programs. They can opt-out of receiving invitations entirely or choose to only receive invites to programs that offer bounties. feb_2016_invitation_preferences

January 2016

Custom Vulnerability Types

Programs can now customize their report submission forms with their own introduction text and the ability to hide and disable vulnerability types. jan_2016_custom_vuln

Hacker Thanks Page

Hacker profiles now include a Thanks page that lists all programs the hacker has submitted vulnerability reports to. For example, check out: https://hackerone.com/atom/thanks jan_2016_hacker_thanks

December 2015

Signal & Impact

We introduce Signal and Impact so that there can be a more granular understanding of hacker performance. Read our blog post or check out our doc to learn more. dec_2015_signal_impact

New Default Views

We add these new default views to the inbox to better organize reports:

  • Triaged
  • Assigned to me
  • Pending disclosure
  • Pending bounty dec_2015_new_default_views

Protective Disclosure

If the response team has evidence of active exploitation or imminent public harm, they can immediately provide remediation details to the public so that programs can take protective action. dec_2015_protective_disclosure

Preview Image Attachments

Programs and hackers can now preview image attachments on the report form.

November 2015

HackerOne Success Index

We introduce the HackerOne Success Index - a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs. The index calculates 6 dimensions by which programs can benchmark their success each month. Learn more here. nov_2015_success_index

Disclosure Assistance

We provide hackers with the ability to request help in contacting an organization with a vulnerability through Disclosure Assistance. This enables HackerOne to take steps to identify the organization’s official vulnerability reporting process. Read more in our blog. nov_2015_disclosure_assistance

Trigger: Show Interstitial

We’ve updated our triggers functionality so that an interstitial shows prior to report submission. This helps hackers to avoid the submission of a number of out-of-scope or commonly reported false positives. nov_2015_interstitial_trigger

Automated Scanner Detection

We’ve updated our report classification engine to detect common outputs from automated vulnerability scanners that are frequently flagged as invalid. This enables the quality of report submissions to improve as hackers can check the report before submission. nov_2015_automated_scanner

Single Sign-On: SAML

We’ve improved our Single-Sign-On (SSO) options with support for SAML. Response teams using an SSO provider to authenticate can use those services for centralized authorization and identity management.

Suggest a Bounty

There’s now a reward suggestion functionality where program members can suggest bounty amounts. This enables programs to more easily arrive at a consensus regarding award amounts. nov_2015_suggest_bounty

Report Abuse

If any disagreements or discussions arise regarding a report, hackers and programs can now request mediation and our experts will provide guidance on the situation.

Group Assignments

The group assignments feature enables programs to assign reports to a team rather than just to an individual so that multiple people within a team have the ability to pick up the report. nov_2015_group_assignments

Improved Report Meta Data

We’ve updated the styling between the report meta data and the summary/timeline so that the report meta data is now collapsible. nov_2015_report_meta_data

Integrations

We’ve added integrations with:

  • Slack
  • Redmine
  • Freshdesk

Read more about how these integrations work here.

September 2015

Vulnerability Coordination Maturity Model

We introduce the Vulnerability Coordination Maturity Model which helps programs increase their dependence on internet-connected software. Learn more about this model in our blog post. sep_2015_maturity_model

Integrations

We’ve added integrations for ServiceNow and Assembla.

Tax Forms

We’ve integrated tax forms into our product so that hackers can quickly sign them to get paid.

August 2015

Permissions

HackerOne program administrators can set access rights for different team members who might play different roles on your team. Learn more here. aug_2015_permissions

Message Hackers

With our new Message Researchers feature, programs can now send messages directly to hackers to update them on scope changes, bounty awards, or to just connect with them. aug_message_hackers

Disclosure: Limited Timeline and Summary

When an organization chooses to publicly disclose a vulnerability report, there’s now the option to write a summary along with a partial timeline. aug_2015_limited_timeline

July 2015

Directory

We introduce the HackerOne Directory - a community-curated resource to identify the best way to contact an organization’s security team. july_2015_directory

GitHub Integration

We now enable you to integrate HackerOne with GitHub.

Disclosure Summary

Programs and hackers can now summarize the content of a public disclosure in the summary field.

May 2015

Dashboard Metrics

We’ve added additional metrics on the program dashboard. may_2015_additional_metrics

April 2015

Swag

We now enable programs to award hackers with swag or physical objects. april_2015_swag

Hackbot: Duplicate Detection

Hackbot is now able to detect duplicate and related reports to help programs associate and close reports more quickly.

Self-Close Reports

We now enable hackers to self-close their own reports if they discover that it’s no longer relevant. This won’t impact their reputation. april_2015_self-close

February 2015

Closing Spam Reports

We now provide the ability to close out a report due to it being spam or inappropriate.

Merge Duplicates

Programs can now merge duplicate reports and add hackers to the original report. feb_2015_merge_duplicates

December 2014

Trigger: Add Comment

We introduce the new trigger option to post a public comment on the report.

October 2014

Reputation

We introduce Reputation - a system that gives additional recognition to the best researchers. A hacker’s reputation measures how likely their finding is to be immediately relevant and actionable.

Integrations

We introduce these 2 new integrations with HackerOne:

  • Trac
  • Zendesk
  • August 2014

    Security Inbox

    We’ve redesigned the security inbox to enable faster bug processing for programs. The new inbox enables programs to open reports inline so you don’t have to click backward or forward to navigate between reports. aug_2014_security_inbox

    Dashboard

    The new dashboard enables insight into your security response posture. This enables programs to be on top of response time, stale issues, pending disclosures and more. aug_2014_bulk_actions

    Bulk Actions

    We improve our bulk actions functionality so that it’s easier to apply the same action to multiple reports with a single click. aug_2014aug_2014_bulk_actions

    Keyboard Shortcuts

    We introduce keyboard shortcuts to make the workflow more efficient with a faster navigation.

    Search

    Our new inbox filtering search functionality enables programs and hackers to quickly target the bug they're looking for without having to scroll through their inbox.

    Integrations

    We introduce these new integrations with HackerOne:

  • MantisBT
  • Bugzilla
  • Jira
  • Phabricator
  • July 2014

    Trigger: Change State

    We introduce the new trigger option to change the report state to Needs more info.

    Data Export CSV

    We enable programs and hackers to export their reports as .CSV files to enable them to quickly generate a spreadsheet of selected reports with key details.

    Security IP Whitelisting

    We enable programs to configure IP whitelisting to control which IP ranges their program members must be coming from in order to access HackerOne.

    Invite-Only Programs

    We introduce private programs to hackers that are only accessible through invitations.

    April 2014

    Bitcoin

    We now support hackers to receive payouts through Bitcoin.

    Data Export JSON

    Programs and hackers can now export their reports as JSON files.

    Two-Factor Authentication

    Program members can now set up two-factor authentication to securely log in to HackerOne.