Changelog

Hacktivity Annotations

Publicly disclosed reports are now automatically summarized using AI to make them even easier to consume. Summaries are provided in five languages.

Enhanced Opportunities Search

Hackers can now search for :mag: Opportunities by program handle, policy, technologies, industry, and asset identifiers through the search field. This update makes it possible to quickly and accurately locate the most relevant opportunities, increasing hacker's chances of finding the correct program to submit a report.

Scope Management

We're excited to announce that we released Scope Management to all customers. We've entirely revamped our data model to support new functionality and scale our platform into a multi-product one.

Customer benefits:

• Centralized interface to manage assets on the organization level through the new Asset Inventory
• Introduced new asset types for Wildcards and Smart contracts
• Manage scope across engagements and products from a unified asset list

Hacker benefits:

• We're now supporting larger scopes. Customers can put more assets in the scope of a program, which will benefit hackers
• Search, filter, and export options will make it easier for hackers to consume large scopes
• New asset types will make finding the right program to hack on easier

ID Verification

We are excited to announce the first iteration of :idv: ID Verification, a light version of H1 Clear! Hackers will now be able to go through a self-service ID verification process to instantly confirm their identity. Any hacker with a valid report can apply and get that sweet green checkmark on their profile.

This initial release is just the beginning. Future releases will enable programs to invite only ID-verified hackers to their programs. This will give programs access to ID-verified hackers without purchasing the H1 Clear product.

H1 Campaigns

Campaigns are time-bound promotions where the submitters get a higher bounty than usual for a valid report. H1 Campaigns are available for all customers using the Enterprise edition of HackerOne Bounty. Customers that had access to Campaigns before general availability will still keep their access. There is also a new Campaign Manager that allows you to see all of your campaigns at a glance.

Export Assets

With the new "Assets CSV Export" feature, customers can now easily export their asset data, including asset name, URL, associated tags, associated scope, risk, and other data. This feature allows customers to export their assets in bulk and apply filters based on their search criteria, saving them time and effort.

Asset Inventory Filter by Program

We've made managing multiple programs easier by allowing you to filter assets for a specific program. Get a quick overview of what's in or out of scope for that particular program by filtering for it.

Scope Changelog Only Shows Changed Assets

Our scope changelog now shows only the changed assets, supporting growing scopes and making it easier for hackers to view changes. Scan for changes easily and efficiently.

Program-Specific Scope Instructions

Our new scope tab on the asset inventory allows you to quickly see where assets are in scope and out of scope. With program-specific scope instructions, you can provide specific instructions based on the program in which you're testing the asset. Provide hackers with more detailed insights and optimize your testing strategies.

The Scope Tab Defaults To An Ungrouped View

We learned that it’s important to highlight assets and their instructions directly when navigating to the scope page of your program. We’ve changed the behavior of the scope page to default to an ungrouped view and made the grouping by domain an optional view for hackers.

Scope Intro For Vulnerability Disclosure Programs

Most VDP programs have an open scope. With our scope introduction feature, you can define a free-form text on top of the scope page, avoiding showing "No assets in scope.”. Keep hackers engaged and informed, and provide them with clear instructions for testing.

Pentest Cloning and Naming

Customers can now choose to clone an existing pentest when making a new one, and pentests can now have custom names. When creating a new pentest, customers can select the option to clone an existing pentest instead. This will prepopulate the form with details from the original pentest such as scope, asset details, and contact preferences.

Hacker Mediation Updates

HackerOne only accepts Hacker Mediation Requests for reports submitted to Basic programs that are managed by HackerOne.

Archived Assets

We've brought back the ability to view archived assets. This feature comes in handy when you want to bring back a previously used asset or if you accidentally archived an asset.

Assets Enterprise

Customers can now see DNS and WHOIS information for domain assets that are imported from the ASM scanner.

Opportunity Discovery Cards

Opportunity Discovery cards have been updated to improve clarity and readability.

Retesting

If the original hacker rejects the retest, the report will pass back to the customer in its previous state. Customers are also able to cancel a retest if the original hacker does not respond in time. Note: Retesting is not available for anonymous reports.

Slack Auto-Integrations

Programs will now automatically have three Slack channels created when their pentest opens to applications. This is where you can find all appropriate communication channels.

Scope Management

Programs now have a new Scope tab on the Security page. From here, both hackers and programs can see the assets' CVSS score, whether they are in or out of scope, and whether or not they are eligible for bounty.

Retesting Timeframe

The 72hr timer from retests has been removed, so there will be no time limit to accept or confirm retests.

Report Translations

Hacker reports and responses can be translated into Dutch, German, Hindi, and Spanish. To translate, click on any part of the report and select a language in the kabob menu (3 vertical dots). You have to select each response to translate it, and it works on both Inbox and public Hactivity content.

Custom Asset Groups

Customers can now group assets by tags, including any custom tags they have made! The sorting stays in place during searches as well, so all results will be sorted. Customers can also choose no grouping to show a full list of assets.

CVE Discovery in ASM Scans

If the ASM scanner finds a risk that contains a CVE, clicking the CVE ID will now open our own intelligence tab with more information about the CVE. The platform context helps customers make better decisions on the importance and urgency of the risk.

Opportunity Bounty Sorting

Hackers can now sort results on the Opportunities page by high or low bounty.

Consumption Subscription Card

The Consumption Subscription Card is now available to all customers with the new Pentest Consumption Subscriptions. Consumption Subscription Cards show vital information regarding each consumption subscription, such as:

• Start and end dates
• Hours purchased
• Hours used
• Hours available for scoping more pentests

Note: this is only for Pentests sold under the new pricing model, rolled out Sept 27, 2022.

Pentest Artifacts

Customers can now upload important artifacts such as architectural diagrams or product documentation during the pentest setup process. These resources will eventually be shared with the pentest team and will help inform and guide their testing.

Opportunity Bounty Filters

Hackers can now filter opportunities by bounty amount. See it now here.

Engagements Page

The Engagements page (currently in Beta) is a top-level navigation page where customers can find all the ways to engage with hackers. This includes any programs they are currently running and education on what other engagements they could run.

Program Levels

Program Levels is a structured framework that lets programs level up by publicly committing to certain best practices. Programs that meet all requirements earn a Program Level badge displayed on their program card and policy page.

Gold Standard Safe Harbor

Companies can now institute Gold Standard Safe Harbor. Gold Standard Safe Harbor statements improve the hacker/program experience and help protect good faith research. Check out our FAQ page for more information.

Pentests on the Opportunities Page

Hackers can now find pentests on the Opportunities page. This will give pentesters a better overview of the opportunities available for them across the platform.

Submissions & Bounty Dashboard Update

The Submissions & Bounty Dashboard was updated to use a faster performing backend analytics engine.

HackerOne Assets

HackerOne Assets combines the core capabilities of Attack Surface Management (ASM) and Asset Inventory with the reconnaissance skills of ethical hackers to bring visibility, tracking, and risk propensity to an organization’s digital asset landscape.

My Programs Filters

Hackers can now sort programs by the last accepted invitation date on the My Programs page under Opportunities.

Multi-Select Opportunity Filters

All drop-down filters on the Opportunities page search results are multi-select capable with search functionality.

Custom Pentest Naming

Custom Pentest Naming allows all Pentest customers to customize their pentest names according to their internal conventions. To use Custom Pentest Naming, go to the Overview of a pentest, click the title, and save. The new name will populate instantly across the platform.

Pentest Tables

Pentest Tables enable team members to view all of their Pentests in one place. To see Pentest Tables in action, go to the organization landing page and click on the "Pentests" tab. You will also be redirected to this tab if the selected organization has no non-pentest programs.

Duplicate Detection

The Duplicate Detection Console streamlines customers' ability to detect duplicate reports across all their programs.

Programs Landing Page

Customers will now be able to see all programs for their organization under Organization Settings > Programs, and will be able to navigate to all the relevant areas for that program from there.

Unassign reports

There is now an "Unassign Report" option in the action picker at the bottom of a report. Users can also unassign reports in bulk by selecting multiple reports in the inbox.

HackerOne Views

Users can now switch between Organization view and Hacker view using the dropdown next to the avatar in the top right of the navigation bar.

Asset-Based Credential Management

We've added the ability to manage credentials by specific assets.

Retesting Enhancement

The tester will now have 72 hours to complete retesting once a retest is claimed.

Program Hacker Matching Improvement

We’ve made improvements to our Invitation Engine. Using program requirements and customer preferences to match hackers to opportunities, we provide our hacker community with much more personalized recommendations.

Organization Settings Page

The Organization Settings page allows customers with multiple programs to manage users from a single page.

Program Dashboard Enhancements

We released fixes and performance optimizations to ensure consistent data between the Statistics page and the Submissions and Bounty dashboard.

Team Member Eligibility

Team Member Eligibility settings allow you to configure a list of email domains that are eligible to join your program. These settings will allow or block a user when accepting an invitation, but will not affect any users that are already a member of the program. You can set team member eligibility regardless of SAML usage.

Opportunity Discovery

The Opportunity discovery page provides a central place for hackers to discover bounty programs, vdps, pentests, and future earning openings, while also solving an inconsistent filtering experience.

Submissions & Bounty Dashboard

The Submissions & Bounty Dashboard shows data on all report submissions broken up by different metrics. Bounty programs will show the number of valid submissions for that category on the left, with bounties paid out for that category on the right. You can export all of your data at once as a PDF or by sections as a CSV file.

Multiple Jira Integration

This feature is available for Enterprise programs only. If you want to integrate the same program to multiple Jira instances, you can follow all the steps for each integration.

AWS Security Hub Integration

The AWS Security Hub integration exchanges vulnerability findings between HackerOne and Security Hub, streamlining workflows to accelerate security actions. 

Customer Homepage

The customer homepage is the starting point for customers to see an overview of all programs and latest report activity and mentions in their organization. Quickly access the area that requires your attention, regardless of the program it's associated with.

Organization-level User Management

Managing all team members from a central place with our new Organization-level User Management. Regardless of which program they can access, you can now manage team members and API access from a single location.

Report sidebar

Improving the user experience while viewing reports. Making it easy to see all relevant information at a glance while taking action on a report.

Ability to search in the program picker

You can now search for programs in the Program picker to easily find the right program you are looking for.

New Splunk integration Setup

The Splunk integration is now embedded into the HackerOne platform to make it easier to setup and maintain the integration.

Program Overview

We launch the new Overview page of the program dashboard to provide an overarching view of important data and statuses regarding your program.

Proof of Compliance

You can now generate a proof of compliance report for your program on HackerOne to prove that your organization has a vulnerability disclosure policy (VDP) or bug bounty program (BBP) in place.

Hacker Collaboration Preferences

Hackers can now set which programs they’re open to collaborating on so that they can work with other hackers in finding vulnerabilities.

Collaborators Tab on the Security Page

We introduce the new Collaborators tab on the program’s security page, where you can see which hackers are open to collaboration and contact them.

Hacker Custom Fields

Programs can now create hacker facing [custom fields] to require specific information from hackers regarding the vulnerability they found. This speeds up the remediation process as it’ll minimize the back-and-forth between the hacker and the program in getting necessary information.

Custom Field Changes Tracked in the Report Timeline

Any changes to custom fields will now be shown in the report timeline. This enables programs to properly keep track of all changes to their custom fields.

Azure DevOps Integration

Enterprise programs can now integrate HackerOne with Azure DevOps to synchronize their HackerOne events to Azure DevOps and vice versa.

Support for Multiple Integrations

Programs can now set up multiple integrations with HackerOne and select which issue tracker they want to add a reference to.

Add Reference to Issue Tracker

We've updated the reference ID field for adding integrations with a new Add reference to issue tracker button to more clearly guide users with adding a reference to their integrated issue tracker.

Filter Programs by Bounty Splitting

You can now see which programs enable you to collaborate with other hackers in submitting vulnerabilities with the new Bounty splitting filter and label in the Directory.

Collaborations Filter in Hacktivity

We've added the new Collaborations filter in Hacktivity so that hackers can easily see which reports were collaborated on.

Export Reports to PDF

You can now export your reports to a PDF and choose to include the full timeline, the reporter timeline, or the triage summary when exporting.

Retesting Available by Default

All Professional and Enterprise programs can now participate in retesting as retests are now included by default rather than as a separate add-on. For Response programs using HackerOne's triage services, the triage team will retest the vulnerabilities to verify the fixes instead of hackers.

If you're currently running a Bounty or Challenge program, awards for retests will be paid from your bounty pool. If you're using the consumption tier to pay for your bounties, payments for retests will count towards the tier instead.

New Leaderboards

We’ve added new HackerOne leaderboards so that hackers can see who’s on top and where they stand in different categories of leaderboards.

In-report Remediation Guidance

Hackbot can now provide remediation guidance from MITRE to help programs with mitigating their vulnerabilities. Through this, programs can also provide their own custom remediation guidance to communicate to their internal team.

Triage Rating for Hackers

Hackers can now rate their triage experience for all managed programs they submit a report to. The ratings will be used to improve the triage experience for hackers.

Revamped Assigned To Filter

The Me filter for the Assigned to filter category now only shows reports that you are directly assigned to.

To see all of the reports that are assigned to you and the groups you are a part of, you can select the new Me and my groups filter.

Microsoft Teams Integration

We introduce the Microsoft Teams integration to all Enterprise programs. This enables Microsoft Teams users to keep up-to-date with what's happening in their program as they can now receive notifications of HackerOne report activities directly in their selected channels.

Bi-directional ServiceNow Integration

We now offer a bi-directional ServiceNow integration to all Enterprise programs. This will create a better workflow of remediating security vulnerabilities as ServiceNow users can synchronize their HackerOne reports to ServiceNow incidents and vice versa, from ServiceNow to HackerOne.

Revamped Gateway (VPN) for Hackers

We’ve revamped the HackerOne Gateway (VPN) for hackers so that hackers can now choose to connect between these 2 different Gateway locations:

• Oregon, USA
• Mumbai, India

This gives hackers the ability to work on a VPN instance with a lower latency, which improves their Gateway experience with a faster connection.

Report Transparency

We've increased report transparency for hackers by actively showing that their report is being looked at. This helps hackers to have more visibility in the triage process. To increase report transparency we show:

• The timestamp of the latest internal activity
• Defined labels of who is interacting with the report such as HackerOne staff
• Who is responsible for acting upon the report next
• Individual parameters used to calculate the CVSS score

Triage Ratings

Programs managed by HackerOne can now rate their triage experience. The ratings will be used to improve the triage experience for managed programs.

Pentest Ratings

We now enable pentesters to provide feedback about their pentest experience. Both pentesters and pentest programs can also provide feedback on the pentesters they worked with. This will enable pentesters and pentest programs to see what they've done well and/or how they can better improve.

My Feedback

We've added a new My Feedback section to the hacker settings where pentesters can see all of the feedback they've received from pentesters and pentest programs they've worked with. They can also elect to make their feedback public on their profile.

Testimonials

We've also launched a new Testimonials section on the hacker profile page where hackers can showcase their skills and the positive feedback they've received from other hackers.

Configure an Alternative Certificate for SAML

If you need to switch your identity provider or if your current SAML certificate is expiring, you can now configure an alternative certificate to avoid having to disable your SSO integration.

Webhooks

Enterprise programs can now utilize webhooks to build real-time integrations that subscribe to certain report and program events on HackerOne.

PagerDuty Integration

Enterprise programs can also now integrate PagerDuty with HackerOne so that each time an event is triggered in HackerOne, a PagerDuty incident can automatically be created.

Reputation, Signal and Impact Calculation Enhancements

We've made these changes to how reputation, signal and impact are calculated:

• The first 10 bounties of a program will now be rewarded with the BOUNTY_LOW reputation instead of the BOUNTY_MEDIUM. After 10 bounties have been paid out, a hacker’s reputation will be recalculated based on the standard deviation of the program’s mean bounty.
• Reports marked as Informative are now not included in the calculation of Signal.
• All hacker's signal for signal requirements will now be based on the last 365 days so that hackers won't be penalized for their past performance affecting their signal.

Inline Report CVSS Details

We now show the updated CVSS details within the report activity when a program decides to change the severity level of a vulnerability.

Resolution Target Date in Report Header

We've added a new Resolution Target field in the report header for all triaged reports. This enables members of the program's response team to clearly see when they should aim to resolve the report by. The date is calculated based off of what the program's response target settings are set to.

HackerOne Pentest

We've officially launched Pentests as a new product offering to help companies better secure their applications and meet regulatory compliance standards.

Explore

We've revamped the Response Targets dashboard and now call it Explore. Programs can now analyze their response targets, submissions and spend data, and Enterprise programs can also create benchmarks to see how they're doing in comparison to other programs.

SAML Authentication Updates

Programs can now verify and enable SAML authentication on their own without needing to wait for HackerOne to approve their SAML request. We've also revamped the SAML authentication page and added guided steps to make the set up more clear.

Domain Verification

We've also added a new Domain Verification page where programs can verify ownership of their domains for the set up of SAML authentication.

Hacker-Powered Retesting

We now officially offer Hacker-Powered Retesting which enables programs to request hackers to verify that their vulnerabilities have been fixed.

Revamped Report Submission Page

We've redesigned the Report Submission Page to have a sleeker look.

Report Preview Section

We've also added a new report preview section to the Report Submissions Page so that hackers can review their report details before submitting them.

Monthly Payouts

Hackers can now choose to receive their payouts monthly instead of daily, so that they can receive all their payments from the month in 1 batch payment.

Revamped Invitation Preferences

We've revamped the Invitation Preferences page with more options to specify and control your invitation settings.

Hacker Following

In order to keep up-to-date with your favorite hackers, we introduce the new Hacker Following feature. This enables you to keep track of your favorite hackers and to quickly see their activity on HackerOne.

You can filter the activity of the hackers you're following with our new Hackers I am following filter on the Hacktivity page.

We also introduce the Followed Hackers page on the Hacker Dashboard to help you manage the hackers you're following.

Dark Mode

You can now customize your HackerOne interface by choosing to view everything in dark mode. You can toggle your view experience by going to your profile drop-down.

Asset Labeling

Programs can now add specific labels pertaining to their assets. These asset labels provide more granular data about each program and the assets associated with it, which will help with matching hackers to specific programs.

Programs can add asset labels to these categories:

• Coding Language
• Framework
• Cloud and Infrastructure
• Database
• Content Management System
• Country
• Spoken Language
• Cryptocurrency

The labels will appear on your program policy page under Scopes.

Response Target Benchmarks

We introduce the new response target benchmarks dashboard that enables programs to compare their response times to those of other programs. This will help programs see what areas they need to focus on to improve their program.

Updates to CVE IDs

We've made these improvements to CVE IDs to help users get their CVE IDs faster and to simplify the publication process:

• Immediate CVE ID assignments: Users will no longer have to wait in getting their CVE IDs as HackerOne will now immediately and automatically assign a CVE ID to a request created through HackerOne.
• "Auto-Submission": We now offer the new Auto-submission option in the CVE request process that'll enable CVE requests to be submitted automatically for approval and publication when the attached HackerOne report is publicly disclosed.
• Publication Reminder Emails: HackerOne will now send users weekly reminder emails of their CVE IDs that have yet to publish an advisory.

Hacker Full Name and Addresses in Custom Agreements

Programs can now request hackers to provide their full name and address when accepting the Digital Custom Agreement.

Digital Custom Agreements

Hackers can now view their signed custom agreements on the new Digital Custom Agreements page within their profile settings.

Set up a Jira Integration without Jira Admin Permissions

To simplify the set up process, programs can now set up their Jira Integration without needing Jira Administrator permissions.

Control Visibility of Bounty Earnings

Hackers can now control whether they want their earnings to be visible on Hacktivity and their profile. Go to your profile's Settings > Account Preferences to manage your bounty visibility.

Linking Phabricator Tickets

Programs using the Phabricator integration can now link their Phabricator tickets to their reports on HackerOne.

Suggested Redaction in Report Comments

To better protect your sensitive information, we now provide a suggested redaction notification when your report comments contain sensitive information such as cookies, credentials, and authentication tokens.

Ability to Remove Jira References

Jira users can now remove a Jira reference on a report in case they linked the wrong Jira ticket or they need to escalate the report to Jira again.

Inbox Program Search

If you're managing or are a part of many programs, you can now search the inbox by program name with our new search field. The search field is visible for everyone who is a part of 5 or more programs.

New Program Filter: Bookmarked

We added the new Bookmarked program filter to the My Programs tab so that hackers can view their bookmarked programs on the same page.

Experience by Vulnerability Type

We added an Experience by vulnerability type section to the Overview page of the Hacker Dashboard so that hackers can see the analytics of which vulnerability types they're most successful in finding.

Modified Hacker Dashboard Layout

We modified the layout of the profile section of the Hacker Dashboard and also expanded it with metrics on resolved reports that enables hackers to understand the percentage of their report submissions that are resolved.

Hacker Profile Redesign

We've redesigned the hacker profile page to simplify the UI. In doing so, we've deprecated the Thanks tab and put the Thanks section at the bottom of the profile page.

New Settings on Notification Preferences

We've revamped the Notification Preferences page and added new settings so that all users can better customize their report notifications to reduce noise from unwanted notifications.

Program Page Bookmark and Subscribe Buttons

We've deprecated the Follow button on the Program Page and replaced it with a Bookmark button. We also moved the Subscribe button from the bottom of the Program Page and moved it to the top next to the new Bookmark button so that hackers can easily subscribe to program updates and add programs to their bookmarked program list on their dashboard.


API Enhancements

We've released the following improvements to our API:

• Filtering reports by weaknesses
• Filtering reports by severities
• Fetching program payment transactions
• Getting a program's balance
• Fetching a program's thanks items
• Updating report structured scope
• Filtering reports by keywords
• Fetching awarded program swag
• Fetching bounty suggestions
• Fetching program policy and attachments
• Requesting and cancelling report disclosure
• Redacting reports
• Groups attribute to member object
• Uploading attachments to the policy page

API Enhancements

We've released these new endpoints to our API:

• Ability to mark a report as ineligible for a bounty
• Marking swag as sent

API Enhancements

We've released these new endpoints to our API:

• Ability to create a report
• Ability to change the weakness on a report
• Ability to fetch all weaknesses for a program
• Ability to update policy of a program

Program Hover State Profile

You can now better preview programs when hovering over program names with our revamped hover state profile popup. You can quickly view important information regarding the program when hovering over the program name on these pages:

• Hacktivity
• Directory
• My Programs
• Pending Invitations
• Bookmarked Programs
• Hacker Dashboard

Newly Designed Program Profile Page

We've redesigned the program profile pages to give them a sleeker look.

Link Burp Suite with the HackerOne Scope

It can take a long time to set up Target Scope in Burp Suite, especially for programs with long or complicated scopes. Now you can download a Burp Suite project file to link HackerOne scope to the Burp Suite Target Scope.

Bounty Eligibility Indicator on Structured Scopes

We've updated the structured scopes table on the program policy page with a new bounty eligible and ineligible icon to clearly show which assets are eligible and ineligible for bounties.

Internal Attachments

You can convert attachments to be internal for all redactable reports in the Convert attachments to internal-only section when redacting a report.

Program Notifications

After the beta launch in March, all hackers can now subscribe to receive notifications from program updates.

Notification Preferences

You can also now set your notification preferences under the new Notification Preferences page in your user settings.

Mentions Filter

Easily find all reports you've been mentioned in to keep track of which reports need a response from you with our new mentions filter.

Custom Fields

After the beta launch in March, custom fields is now available to all Enterprise programs.

Mark a report as ineligible for bounty when awarding swag

We introduce the new Also mark as ineligible for bounty checkbox so that programs can now mark a report as being ineligible for bounty when awarding swag.

Programs are also able to now award swag to reports that are marked as ineligible for bounty.

Notifications Bell Icon

Say goodbye to the old notifications indicator next to your profile icon. We introduce a new bell icon to notify you of any new notifications. If you have more than 25 unread notifications, we've truncated the notifications number to be capped at 25+.

Saving the Inbox Sort Order

Say goodbye to having to always re-select how you want your inbox sorted. Your selected sort order will now automatically save when creating your custom inbox view.

Submission Date Filters

You can now filter through your inbox reports by submission date in order to quickly find reports submitted after or within a certain time.

Group Members Filter

The new Group Members filter enables you to search for reports by individual members within a group. Previously, you couldn’t see which members were assigned to which reports within the group. This enables you to better keep track of reports and the individuals assigned to them.

Goodbye to the Insights Tab

We’ve deprecated the Insights tab from program pages.

Program Dashboard

We’ve revamped the Program Dashboard with new metric tables and charts that give better insight into reporting and analytics for programs.

Enhancements to the Jira Integration

We've added these improvements to the bi-directional Jira integration:

Additional Fields

The HackerOne to Jira escalation template now includes all additional fields that are either a type of string, number, or date. This enables Jira users to have all fields in Jira be mapped to a value from the HackerOne report. All available Jira fields will automatically be pulled from the selected issue type.

Sync Attachments

Jira users can now sync attachments from their HackerOne report to Jira by selecting Synchronize attachments in the Select HackerOne to Jira events section when configuring their Jira integration.

Automated Report Closure

Jira users can now select which Jira closed issue status should result in the closure of the HackerOne report.

Severity to Priority Mapping

With severity to priority mapping, Jira users can map HackerOne severity ratings to the priority fields they have in Jira. This enables the right priority to be set when escalating a report to Jira.

Updates to the Hacker Dashboard

We've revamped the My Stats section of the Hacker Dashboard with expanded graphs where you can view your bounties, reports, and reputation over time. We've also included a new My top earning programs section to help hackers see which programs they're earning the most bounties from.

Notifications Checkbox

Programs can now select to notify their subscribers of changes in their Policy and Scope settings pages with our new Notify subscribers of changes checkbox. The checkbox can be found for changes to these pages:

• Policy
• Scope
• Bounties

Bounty Table Versions

You can now view previous changes made on bounty tables for all programs to see what's been changed over time with our bounty table versions page. Click on View changes on the Rewards section of the program policy page to access the versions page.

Custom Fields (beta)

We introduce custom fields to enable programs to add custom information to their reports to help them better manage and analyze their internal data by the categories that they define to be important. This feature is only available for Enterprise programs.

Custom Fields on the API

We've also added custom fields to the API to enable programs to search and filter reports by custom field values.

Program Notifications (beta)

Select hackers now receive program notifications to all program updates via the product and email for changes to the:

• Policy
• Bounty table
• Scope
• Hacker messages

We've also implemented a new Subscribe button on the policy page to enable hackers to easily subscribe to program notifications. Note: The button is currently viewable for select hackers.

Deprecation of Custom Recipients for Messaging Hackers

We've deprecated the Custom recipient field on the Message Hackers page as the feature wasn't found to be very valuable for programs.

Retesting Bundles

Programs can now opt-in to purchase a bundle of retests with their HackerOne subscription. With bundles, programs are no longer charged the processing fee for each bounty, and can also opt-in to purchase more retests when they run out.

My Programs

We’ve renamed the Accepted Invitations page on the Hacker Dashboard to now be called My Programs. We’ve also revamped the page so that hackers can better manage all of the programs they’re a part of by including:

• More filtering options
• Sorting
• A search bar
• A My stats section for each program where hackers can see their personal statistics for the program

Overview

We've renamed the Getting Started page to now be called Overview. We provide new hackers that haven't submitted any vulnerabilities with a getting started checklist with 4 tasks to complete to guide them to be more successful on the platform.

Hacker Statistics

After hackers have submitted their first vulnerability, they'll be able to view statistics for these personal metrics on their Overview page:

• Number of valid reports
• Bounties earned

Getting Started

We introduce the new Getting Started page on the Hacker Dashboard. This will guide hackers and direct them to the right pages to help them get the information they need to successfully start out on HackerOne

Export All Reports

Want all of your report data for safe keeping or just for analytical purposes? Programs can now export all of their reports through our new Export Reports feature.

Link HackerOne Reports to Existing Jira Tasks

Jira users can now link their HackerOne reports to their existing Jira tasks.

Selecting From Multiple Jira Projects

Jira users can also now select from multiple projects they want their Jira task to link to.

Indian Rupee Payments

Hackers in India will no longer lose a portion of their bounty to transfer fees as we now support payments to Indian Rupees.

Improved Sign Up Page

When new users sign up to use HackerOne, they can can now more clearly distinguish whether they are a hacker or a company wanting to set up an account.

Account Preferences

You can now clearly define whether you're a hacker or someone running a program within the new Account Preferences tab under your profile settings. This will help tailor your HackerOne experience to better fit your needs.

Infinite Scrolling

We've now implemented infinite scrolling on multiple pages so that you no longer have to click on the Load more button to view more information. The information now automatically populates.

Global Launches

We've globally launched these 2 previously beta features:

• Credential Management
• Disclosure for Private Programs

These features are now open for qualifying programs to opt-in to.

Revamped Directory

We've totally revamped our directory page so that you can better search and view programs. You can now filter your search results by program features and by asset type, and we also enable you to view various stats for each program on one page.

Program Bookmarking

You can now bookmark your favorite programs on the directory by starring them.

Hacker Dashboard

Our new Hacker Dashboard enables hackers to better manage and review their:

• Accepted Invitations
• Pending Invitations
• Bookmarked Programs

Hacktivity Search

We now enable you to search within Hacktivity. You can search for reports regarding programs and weaknesses you're interested to read about in the search bar to better learn how specific weaknesses were exploited in various programs.

Disclosure

We've deprecated the term "Public Disclosure" and now simply just call it Disclosure.

Disclosure for Private Programs (beta)

Private programs can now opt-in to enable hackers to disclose reports to other hackers within their program. Upon disclosure, contents of the report will only be visible to participants within that private program. This enables hackers to share their vulnerability findings with other hackers in the program, and can also increase awareness for other hackers as they can better see what vulnerabilities have already been found for the program.

Cancel Disclosure Request

We now enable you to cancel disclosure requests. You can cancel your own requests, and hackers and programs can cancel the requests they receive from one another if they choose not to disclose a report.

Hacker101 CTF Integration

Hacker101 CTF is now linked to your HackerOne account. Every time you earn 26 points in the CTF, you’ll be put in the priority queue to receive invitations to private programs. We also enable you to create your own groups to manage hackers working through the CTF.

Activities API Endpoint

We added a new activities API endpoint that enables you to fetch all activities of your program incrementally by time. Learn more about the activities endpoint.

HackerOne Gateway (VPN)

Hackers can now configure the HackerOne Gateway (VPN) and access their Gateway (VPN) credentials for Gateway (VPN) enabled programs.

Retesting

We've globally launched our retesting feature so that all programs can now initiate retests on any of their resolved reports. Invitations for retests now expire after 24 hours, and hackers are now required to provide a short summary of how they retested the vulnerability. Hackers can also provide attachments of their findings.

Retesting (beta)

Programs can now elect to invite hackers to retest their vulnerabilities to verify fixes. Each hacker that participates in the retest will receive a $100 bounty upon completion. Learn more about retesting.

Submission Requirements: Two-Factor Authentication

Programs can now require hackers to have two-factor authentication enabled in order to submit new reports to their program.

We've also renamed the Signal Requirements page under Settings > Program > Hacker Management to now be called Submission.

Embedded Submission Form

Programs can now embed the HackerOne report submission form onto their own website. This enables hackers to submit reports without having to create an account on HackerOne. Learn more here.

Sessions

Anyone can now review and manage their active HackerOne sessions on all of the devices they're signed in to on the new Sessions page.

Credential Management (beta)

We've enabled the beta Credential Management feature so that select programs can share credentials with hackers through the HackerOne UI. This enables hackers to quickly retrieve the credentials needed to find vulnerabilities.

Bug Fixes

• Your active HackerOne sessions will no longer end prematurely. Sorry for that annoyance!
• We've also fixed the "Remember me" bug. Your login credentials will actually be remembered for 2 week periods so that you don't have to repeatedly log in in order to access your account.

Publishing External Vulnerabilities

We now enable hackers to publish their findings from external sources that don't have HackerOne programs. Click here to learn more.

Two-Factor Authentication

Hackers now have the ability to set up two-factor authentication to add an extra layer of protection to their accounts.

Inbox Filters

Programs can now filter reports with these new inbox filters:

• No weakness
• No asset
• With references
• Without references

Insights (beta)

We introduce the insights page to provide hackers with helpful statistics about programs they're contemplating to hack on. The information is provided to help hackers focus their efforts on the right assets for the right programs. Categories of insights include:

• Bounties
• Reports
• Hacker Participation
• Top 10 vulnerabilities
• Scope Severities

Hacker Email Alias

All hackers now have an email alias that forwards emails to the email address they’ve registered with on HackerOne. This provides an easy way for programs to contact you in order to share credentials and information without having to access your actual email address.

Sort Notifications

You can now sort notifications from oldest to newest and vice versa.

Hacktivity Redesign

We've revamped the look of our Hacktivity feed so that it has a sleeker design. We've also deprecated the Top tab on Hacktivity.

Bug Fixes

• Hackers that have submitted a report and left the program can now revisit the report without seeing any errors.
• The reworded the notification for invites to private programs so that it's clear that it's an invitation.

Reputation on Triage

No need to wait for reports to be resolved in order to increase reputation! We now enable hackers to gain reputation whenever their reports are marked as Triaged.

Bounty Tables

Instead of having programs manually create their own bounty table on the policy page using tedious markdown, we now enable them to easily generate their own bounty table with our new bounty table tool.

Hacker Feedback Dashboard

We introduce the new Hacker Feedback Dashboard where private programs can see the total feedback their program has received from hackers along with the reasons they’ve declined to participate in their program. The feedback can be viewed at Dashboard > Feedback. Learn more about the feedback dashboard.

Triggers

We've revamped our triggers functionality so that you can:

• Preview matches for a new trigger
• Add And/Or conditionals to make the trigger more flexible
• Edit or build off of default triggers

We've also updated the design so that you'll have a better user experience.

Response Targets

We’ve deprecated the threatening term, Response SLA and replaced it with the more friendly terms, Response Targets and Response Standards. Learn more about these new terms.

We’ve deprecated the SLA Violations inbox view and changed the name to Missed targets. The inbox filters are also now Missed response targets and Missed response standards instead of SLA violation reports and SLA Fail reports.

We introduce 4 new inbox labels for reports that don’t meet response standards or targets. The labels are: Response, Triage, Bounty, and Resolve. These labels replace the previous SLA Fail and SLA Miss labels.

The fields on the Reponse Target performance section of the Program Health dashboard have changed to On target, Missed target, and Missed standard. The missed target line is also taken off of the Average Time to Resolution graph on the dashboard.

Response Efficiency Indicators

We’ve modified response efficiency indicators so that:

• They now let you know the program’s percentage of reports that meet response standards instead of the number of reports that are failing or missing SLAs.
• The indicator and metrics are visible even when a member of the program is signed out.
• The orange response efficiency indicator is now changed to yellow.
• The indicator now occurs at the bottom of the metrics chart instead of at the top.

Time to Resolution by Severity

We now enable you to set your Time to Resolution response standards by severity. Learn more here.

Invitations Toggle

Programs no longer have the ability to toggle invitations on or off with the On/Off button. The equivalent action to turn invitations off is to set the report volume to 0 if they no longer wish to engage with new hackers. To turn invitations on, just increase the report volume to be greater than 0.

Policy and Scope

Policy and Scope now have their own separate sections under Settings > Program.

Bug Fixes

• The Managed label no longer shows up on the directory for programs with expired triage subscriptions.
• The response standard percentage now displays when the display option setting is enabled. There were some incidences where it didn’t show in the past.
• When a large user profile photo is uploaded, an error message is now given to the user to notify them that the upload has failed.
• Social sharing icons on public programs are now aligned and work properly without any weird spacing issues between the icons.
• Hackers no longer receive automatic invitations for programs they’ve left.

The 90 Day Leaderboard

The new rolling 90 day leaderboard ranks hackers based on their score from this calculation: Reputation x Signal Percentile x Impact Percentile.

Needs More Info

When a program member adds a comment to an open report with a question mark, Hackbot will prompt them asking if they want to change the state of the report to Needs more info.

Response Efficiency Timers

Response efficiency timers no longer trigger for reports submitted by internal members of the program.

Auto-Invites for Controlled Programs

Programs in controlled launch mode are no longer able to toggle auto-invites as on or off. To change their settings for invitations, they can contact HackerOne support.

Bug Fixes

• URLs in the report title are now wrapped so that they aren’t crossing out of the inbox.
• The Program Health Dashboard now displays 0 instead of N/A when there are no missed or failed reports.
• When a hacker leaves a program that they got invited to through the email forwarding feature, they won’t be placed in the priority queue for leaving that program. This prevents hackers from harvesting a ton of private invitations.
• Hackers now don’t receive invitations to programs they’ve left.
• When hackers received an invitation to claim a report, they couldn’t see or accept the terms of the program. Now they can actually claim the report and see the terms of the program.

Invitations

We’ve improved the way programs can manage their invitations to hackers. You can now set a report volume target where we’ll monitor and manage your hacker invitations to help you meet your report goal.

The Invite Hackers tab under Settings > Program > Hacker Management has been renamed to Invitations.

The Invitations page includes the new Report Volume field where you can enter the number of reports you'd like to receive in 30 days.

Read more about Invitations.

Needs More Info

Reports in the Needs More Info state that haven’t been responded to within 30 days automatically get closed with no negative impact to the hacker’s reputation.

Self-Controlled Launch

Response Programs in Controlled Launch that meet all of the success criteria are now prompted to publicly launch their own program through following the Setup Guide or through email notification.

Response SLA Settings

Response SLA settings are now applied to all reports and not just reports created after modification to SLA settings.

Response SLA settings are also now incorporated into Controlled Launch for Response programs. Programs must’ve received at least 10 reports and invited 100 hackers while maintaining healthy responsive times before launching publicly.

Program Health Dashboard

The new Program Health Dashboard helps programs track their Response Efficiency Metrics and Response SLA performance. Go to Dashboard > Program Health to view your metrics.

Response Efficiency Indicator

Programs can now see their response efficiency indicator in their program dropdown. This enables them to see their response efficiency status without having to visit their security page.

Bug Fixes

• Invite notifications don’t show up again for expired, declined, and duplicate invites.
• The questions on the Invitation Rejection Questionnaire and the Leave Program Questionnaire no longer show duplicates.
• The Time to Bounty timer now pauses when a report is closed as either N/A, Duplicate, Informative, or Spam.
• The red response efficiency indicator tooltip now correctly states that the program has failed SLAs instead of missed SLAs.

In-Product Notifications for Invites

The notifications corner now pings hackers about new invitations.

Invitations on the Program’s Profile

Hackers can also see their invitations on the program's profile page. This reminds hackers of their invitation when they go to look at the program.

Pending Invitations Page

The new Pending Invitations page enables hackers to view all of their pending invites in one place so that they can see all the invitations they need to take action on.

Rejection Questionnaire

When Hackers reject an invite, they are given the opportunity to fill out a questionnaire to provide HackerOne with feedback on why they decided to reject the program invitation. The questionnaire shows up directly after hackers reject the invitation.

Leave Program Button

The Leave Program button is updated to be on the sidebar of the program’s security page. Hackers that leave the program also also get an invitation to fill out the rejection questionnaire.

Priority Queue

Hackers that submit the rejection questionnaire are placed at the top of the queue for the next program invitation they qualify for.

Private Invite Notification

The notification to private invites is updated so that it doesn't look like a program member invite.

Response Efficiency Box

The Response Efficiency box is updated on the program security page to show that metrics are averages of the last 90 days.

Response Efficiency Indicator

There is now a response indicator in the Response Efficiency box of the program's security page to show how healthy a program is. The indicators are either green, orange, or red dots.

Bug Fixes

• Hackers are no longer redirected to a deleted program after every login.
• Programs can mark reports as being ineligible for bounty even though a hacker account is disabled.
• The program health alerts are fixed so that you're not getting alerted when you have 0 reports failing SLAs.
• Old resolved reports are no longer marked as SLA Fail or SLA Miss.

Human Augmented Signal

We enable programs to utilize the expertise of HackerOne Security Analysts to review those pesky invalid reports so that programs don’t have to deal with them. Learn more about Human Augmented Signal.

Response SLAs

You can now set your response service level agreements (SLAs) for time to first response, time to triage, time to bounty, and time to resolution. What do all these terms mean? Find out here.

Response Efficiency Indicator

We now display a colored indicator on a program's security page to show hackers how responsive a program is to report submissions.

SLA Inbox Labels

If you forget which reports aren't meeting your response SLAs, we now have SLA Miss and SLA Fail labels as well as a new SLA Violations view in your inbox to show which reports need action.

Pausing Report Submissions

Want to take a break or need time to catch up on existing reports? Programs can now pause from accepting new report submissions.

Inline Image and Attachments on the Security Page

We now enable you to attach pictures and other files to your policy. Simply go to your program's Settings > Policy and there will be a field where you can upload your files. We've got a nice giph on ours. Check it out.

Controlled Launch for Response Programs

We've revamped the on-boarding experience for new response programs by guiding them through a step by step setup process that prepares them for public launch.

Report Submission Template

What...do...I...write? We've updated the blank report submission form with a template of what a good report write-up should entail. This'll guide hackers on how to write up a good report.

Directory Icons and Program Badges

The Directory page now includes pink and purple lightning icons to highlight programs that are:

• Fast to respond with a first response in <48 hours on average
• Fast to award by giving a bounty <14 days after submission

We also include a Managed badge to identify programs that are managed by HackerOne.

Paying out Bounties via the API

Organizations now have the ability to payout and suggest bounties and swag using their internal systems via the API. You can view the API documentation for this here.

Slack Integration 2.0

We've revamped our Slack integration so that programs can have:

• Granular notification filtering
• Support for multiple channels
• Notifications when a username is mentioned

Read our blog post and learn how to set up Slack integration.

Bounty Splitting

We now enable programs to have this feature that enables hackers to split bounties with other hackers that helped them find the vulnerability.

Bank Transfers via CurrencyCloud

Hackers can now receive payments through Bank Transfers via CurrencyCloud. This enables them to get paid out in 30 different currencies to almost any country in the world.

Scope

Programs can now define their scope and the list of assets they want hackers to test. This controls what reports can be submitted and helps to prevent noise. Don’t know what a scope is? Learn more here.

Hacker Reviews

Programs now have the ability to review their hackers and to comment on their behavior. Learn more about hacker reviews.

Bi-Directional Phabricator Integration

We now provide programs with a two-way integration that syncs changes between HackerOne and Phabricator.

Hackathon Inbox Filter

During hackathon events, programs can now filter reports in their inbox specific to the hackathon so that these reports can be focused on.

Onboarding Changes

We’ve updated the words programs encounter when they onboard onto our platform to reflect our new product changes.

Admin Notification Control

Program administrators now have the ability to enforce notification settings for all members of their program. This ensures that members only receive notifications for the reports they’re subscribed to, instead of being spammed for things that don't apply to them.

Automated Daily Coinbase Payouts

We’ve automated our daily Coinbase payouts so that we don’t have to manually do the work and all hackers receiving payments through Coinbase will be paid at a consistent time every day at 11pm UTC.

Bi-Directional Jira Integration

We now provide a bi-directional Jira Integration where Jira users can sync specific workflows from Jira to HackerOne and vice versa, from HackerOne to Jira.

Move Report Between Programs

Organizations running multiple programs are now able to transfer reports between programs to make sure the vulnerability is associated with the correct program.

Filter Reports by Weakness

You can now filter your reports by specific weaknesses in your inbox.

Beta Hacker VPN

We've implemented a hacker VPN that:

• Controls traffic to in scope program assets
• Enforces granular access controls with a 1:1 mapping between an individual hacker and a static IP
• Pauses individual hacker access without interruption to the overall program
• Integrates with a program's monitoring tools to have full visibility into program activity

Contact HackerOne to participate in this beta.

Personalized Invitation Messages

Hacker invitations can now be personalized with a personal message to the hacker(s) receiving the invitation.

CWE Weakness for Vulnerability Types

We've updated our vulnerability taxonomy to include a more complete weakness suite based on the industry-standard Common Weakness Enumeration (CWE). This provide a much more complete and accurate description of a reported vulnerability, and more importantly, it adopts a common language that is endorsed by the security community.

Disclosure Assitance with Vulnerability Report

HackerOne will now triage and validate disclosure assistance vulnerability reports by severity in order to expedite the disclosure assistance process.

"Needs First Response" Inbox Filter

We’ve added a ‘Needs first response’ filter to the inbox so that all reports that are still waiting on a public response to the hacker. This helps programs to optimize their time to first response.

Award Bounty for External Reports

All program users of the HackerOne API are now enabled to choose to award a bounty for a report that was submitted externally to their HackerOne Security Inbox.

Custom Integrations for Non-Financial Bounties

We now provide native support for custom integrations with non-financial reward programs such as paying bounties in airline miles. The first user of these new rewards is Lufthansa, which awards bounties in the form of their “Miles and More” program. Please contact your Account Manager for additional information.

Report Trigger Matches

We now surface report trigger matches in internal comments to help programs triage a report faster.

Security@ Email Forwarding

We enable vulnerability emails sent to programs’ security@ emails to automatically be forwarded as a report in your HackerOne inbox.

Custom Inbox Views

We now enable users to create and save their own custom View in their inbox.

Trigger for Low Bounty Balance

We now enable programs to set up a trigger for when their balance falls below a certain amount.

Inline Video Attachments

We now enable hackers to attach videos to their vulnerability reports.

Clarify Public Launch Expectations

We now set clearer expectations for self-managed programs that decide to publicly launch their program without having met the launch criteria. We supply warning messages showing that the program hasn’t met the recommended criteria and also require them to select the checkbox acknowledging that they haven’t met the criteria but still want to launch publicly.

Bounty Statistics

When programs award a bounty, we now automatically show them the median, competitive, and top level bounty across the platform for the severity of the vulnerability they are awarding a bounty for. This helps programs to gauge their reward competitiveness and to be as consistent as possible in awarding bounties.

Filter by Severity

We now enable programs to filter reports in their inbox by severity.

Redact Sensitive Information from Reports

Programs can now redact sensitive information from reports in a self-service manner.

Program Updates

We’ve created a new Program Updates tab on the program security page. Programs can publish and persist updates to their hackers like a mini blog on this tab.

Monthly Digest Report

We’ve implemented monthly digest report emails so that if a user is a member of an active HackerOne program, they’ll be able to see how their program is performing and gain insight into any changes to their program. They’ll receive this email every first business day of the month.

Hacker Skills

The new Hacker Skills feature enables hackers to identify their skill set which enables them to qualify for invitations specific to their skill sets. Each skill a hacker puts will be verified by HackerOne.

Configure SLAs for Triage and Resolution

We enable programs to set internal Service Level Agreements (SLAs) by configuring the amount of time that can elapse before a report is marked for their program.

Change Report State via API

We enable you to change the state of a report through utilizing our API.

Export as .zip

We provide a new export option where you can download the contents of the report and all attachments in a single zip archive.

Hackbot Improvements

We’ve improved HackBot to suggest single-click actions, such as:

• Creating a common response
• Integrating with an issue tracker
• Creating a trigger

CVSS for Severity

We introduce the ability for both hackers and security teams to set severity via CVSS. Read our blog post or docs article to learn more.

No Attachment Warning

We now display a warning message if your report references an attachment but no attachments are found.

Hacker Profile: Thanks Page Improvements

We’ve totally revamped our Thanks page on the hacker profile so that all the programs hackers have made contributions to, are now listed in the order of most reputation earned. We also display for each program:

• The number of valid and closed reports the hacker has
• The reputation earned
• The rank of the hacker

Lock Reports

You can now lock reports to prevent new comments on publicly disclosed reports.

Assign Report Through API

Programs can now assign reports to team members using the API. See the API documentation for how to assign a report here.

Notifications Page

We’ve created a notifications page so that you can have a clear overview of your notifications. Go to https://hackerone.com/notifications to see your notifications.

Filter Inbox by Program

Hackers can now filter reports in their inbox by program using the Reported to field so that they don't have to filter through reports with their own eyes.

Report Submission Template

Programs now have the ability to further customize their report submission form by choosing and customizing a report template that pre-populates the Issue information field. Learn more about report templates.

Billing Page Improvements

We’ve updated the Billing page so that programs can now:

• Filter by date ranges
• View partial invoices of the current month
• View balance and credit amounts

Edit Vulnerability Type

Programs can now edit the vulnerability type of a report after the report has been submitted. This is to correctly associate a report with the right vulnerability type if a hacker selected the wrong one.

Policy Versioning

Hackers can now see when the policy was last changed and view all policy changes on a program’s Security Page.

No More Negative Reputation for “Needs More Info”

We’ve adjusted our reputation system so that reports marked as “Needs More Information” doesn’t result in a -1 reputation hit.

Hacktivity on Hacker Profiles

We now display all reports hackers have on hacktivity onto their profile page.

Hacktivity Upvoting

Users can now upvote reports that they’re interested in in order to create a “Popular” sorting on Hacktivity where reports with the most upvotes are featured on top.

Hacker Leaderboard

We’ve deprecated the Thanks page at https://hackerone.com/thanks and turned it into a hacker leaderboard that’s segmented into more granular time periods and sortable by Signal, Impact, and Reputation. See who’s on top here.

Badges

Hackers can now receive badges when they meet certain criteria or achieve certain events to showcase on their profile.

API Documentation

We introduce the first version of the HackerOne API to empower programs to build custom metrics and dashboards. Learn more about our API Documentation.

UI Improvements to Default Automatic Invitations

We’ve cleaned up the UI to Invite Hackers so that it’s clear that there’s a single call-to-action to privately launch a program by turning automatic invitations on.

Security Page Metrics

Programs now have the ability to publicly share Time Metrics and Reward Metrics. These metrics include:

• Mean Time to Response
• Mean Time to Resolution
• Mean Time to Bounty
• Mean Bounty Amount
• Median Bounty Amount
• Total Bounties Paid

Credit Card Payments - Stripe Integration

We now enable programs to make payments using their credit card through our Stripe Integration.

Automatic Invitations for Private Programs

We now enable private programs to configure a minimum threshold for their report volume under which new hackers will be automatically invited.

Hacktivity Redesign

We’ve redesigned Hacktivity so that we surface educational reports from interesting hackers.

Hacker Header on Reports

All reports now include a header with summarized stats on the hacker who submitted the report. The new header fields include:

• The hacker name
• Reputation
• Rank
• Signal
• Signal Percentile
• Impact
• Impact Percentile

Mutual Disclosure of All Reports

All reports, including those marked as Not Applicable, Duplicate, and Spam can now be publicly disclosed when both the hacker and the program agree to disclose the report.

Request Mediation for Hackers

Hackers can now request mediation when they get into a disagreement with a program’s security team.

Filter Directory by Programs Offering Bounties

Users can now filter the directory by programs offering bounties. Type bounties:yes into the search bar to only view the bounty programs in the directory.

Threading for Notification Emails

We now support message threading for notification emails so that similar emails are grouped together.

Award Bonus

We introduce the ability for programs to award a structured bonus in addition to the standard bounty for a vulnerability. Read about it in our blog.

Improved Rate Limiter & Signal Requirements

We give programs the ability to tune the Rate Limiter by specifying minimum Signal Requirements for hacker participation. We’ve also updated the Rate Limiter to incorporate additional intelligent inputs.

Hacker Invitations by Priority

We’ve overhauled the hacker invitation process so that hackers with the highest Reputation, Signal, and Impact will have a greater likelihood of being invited to private programs. Read our blog post to learn more about how invitations work.

Inline Image Attachments

We enable programs and hackers to now add inline image attachments to reports and comments.

Hacker Invitation Preferences

Hackers now have the ability to manage their invitation preferences for private programs. They can opt-out of receiving invitations entirely or choose to only receive invites to programs that offer bounties.

Custom Vulnerability Types

Programs can now customize their report submission forms with their own introduction text and the ability to hide and disable vulnerability types.

Hacker Thanks Page

Hacker profiles now include a Thanks page that lists all programs the hacker has submitted vulnerability reports to. For example, check out: https://hackerone.com/atom/thanks

Signal & Impact

We introduce Signal and Impact so that there can be a more granular understanding of hacker performance. Read our blog post or check out our doc to learn more.

New Default Views

We add these new default views to the inbox to better organize reports:

• Triaged
• Assigned to me
• Pending disclosure
• Pending bounty

Protective Disclosure

If the response team has evidence of active exploitation or imminent public harm, they can immediately provide remediation details to the public so that programs can take protective action.

Preview Image Attachments

Programs and hackers can now preview image attachments on the report form.

HackerOne Success Index

We introduce the HackerOne Success Index - a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs. The index calculates 6 dimensions by which programs can benchmark their success each month. Learn more here.

Disclosure Assistance

We provide hackers with the ability to request help in contacting an organization with a vulnerability through Disclosure Assistance. This enables HackerOne to take steps to identify the organization’s official vulnerability reporting process. Read more in our blog.

Trigger: Show Interstitial

We’ve updated our triggers functionality so that an interstitial shows prior to report submission. This helps hackers to avoid the submission of a number of out-of-scope or commonly reported false positives.

Automated Scanner Detection

We’ve updated our report classification engine to detect common outputs from automated vulnerability scanners that are frequently flagged as invalid. This enables the quality of report submissions to improve as hackers can check the report before submission.

Single Sign-On: SAML

We’ve improved our Single-Sign-On (SSO) options with support for SAML. Response teams using an SSO provider to authenticate can use those services for centralized authorization and identity management.

Suggest a Bounty

There’s now a reward suggestion functionality where program members can suggest bounty amounts. This enables programs to more easily arrive at a consensus regarding award amounts.

Report Abuse

If any disagreements or discussions arise regarding a report, hackers and programs can now request mediation and our experts will provide guidance on the situation.

Group Assignments

The group assignments feature enables programs to assign reports to a team rather than just to an individual so that multiple people within a team have the ability to pick up the report.

Improved Report Meta Data

We’ve updated the styling between the report meta data and the summary/timeline so that the report meta data is now collapsible.

Integrations

We’ve added integrations with:

• Slack
• Redmine
• Freshdesk

Read more about how these integrations work here.

Vulnerability Coordination Maturity Model

We introduce the Vulnerability Coordination Maturity Model which helps programs increase their dependence on internet-connected software. Learn more about this model in our blog post.

Integrations

We’ve added integrations for ServiceNow and Assembla.

Tax Forms

We’ve integrated tax forms into our product so that hackers can quickly sign them to get paid.

Permissions

HackerOne program administrators can set access rights for different team members who might play different roles on your team. Learn more here.

Message Hackers

With our new Message Researchers feature, programs can now send messages directly to hackers to update them on scope changes, bounty awards, or to just connect with them.

Disclosure: Limited Timeline and Summary

When an organization chooses to publicly disclose a vulnerability report, there’s now the option to write a summary along with a partial timeline.

Directory

We introduce the HackerOne Directory - a community-curated resource to identify the best way to contact an organization’s security team.

GitHub Integration

We now enable you to integrate HackerOne with GitHub.

Disclosure Summary

Programs and hackers can now summarize the content of a public disclosure in the summary field.

Dashboard Metrics

We’ve added additional metrics on the program dashboard.

Swag

We now enable programs to award hackers with swag or physical objects.

Hackbot: Duplicate Detection

Hackbot is now able to detect duplicate and related reports to help programs associate and close reports more quickly.

Self-Close Reports

We now enable hackers to self-close their own reports if they discover that it’s no longer relevant. This won’t impact their reputation.

Closing Spam Reports

We now provide the ability to close out a report due to it being spam or inappropriate.

Merge Duplicates

Programs can now merge duplicate reports and add hackers to the original report.

Trigger: Add Comment

We introduce the new trigger option to post a public comment on the report.

Reputation

We introduce Reputation - a system that gives additional recognition to the best researchers. A hacker’s reputation measures how likely their finding is to be immediately relevant and actionable.

Integrations

We introduce these 2 new integrations with HackerOne:

Trac

Zendesk

Security Inbox

We’ve redesigned the security inbox to enable faster bug processing for programs. The new inbox enables programs to open reports inline so you don’t have to click backward or forward to navigate between reports.

Dashboard

The new dashboard enables insight into your security response posture. This enables programs to be on top of response time, stale issues, pending disclosures and more.

Bulk Actions

We improve our bulk actions functionality so that it’s easier to apply the same action to multiple reports with a single click.

Keyboard Shortcuts

We introduce keyboard shortcuts to make the workflow more efficient with a faster navigation.

Search

Our new inbox filtering search functionality enables programs and hackers to quickly target the bug they're looking for without having to scroll through their inbox.

Integrations

We introduce these new integrations with HackerOne:

MantisBT

Bugzilla

Jira

Phabricator

Trigger: Change State

We introduce the new trigger option to change the report state to Needs more info.

Data Export CSV

We enable programs and hackers to export their reports as .CSV files to enable them to quickly generate a spreadsheet of selected reports with key details.

Security IP Allowlists

We enable programs to configure IP allowlists to control which IP ranges their program members must be coming from in order to access HackerOne.

Invite-Only Programs

We introduce private programs to hackers that are only accessible through invitations.

Bitcoin

We now support hackers to receive payouts through Bitcoin.

Data Export JSON

Programs and hackers can now export their reports as JSON files.

Two-Factor Authentication

Program members can now set up two-factor authentication to securely log in to HackerOne.