Program Security Page Updates
This release brings a series of substantial updates to the Security Page designed to increase transparency and enhance the user experience.
What we did:
Deviations with Reasons: Customers can now specify reasons when deviating from Platform Standards, which are displayed to hackers for increased transparency.
UI Enhancements: Updated the right sidebar with helpful information and is collapsible!
Program Response Efficiency: Highlighted response efficiency stats to give hackers clearer insights.
Email Visibility Restrictions: To reduce spam, “Contact email” is now visible only to logged-in users.
Open Scope for VDPs: Vulnerability Disclosure Programs (VDPs) can select an “Open Scope” option, which is now the default for all new VDPs.
Rewards Summary: Added a rewards summary block to the sidebar for transparent reward ranges.
Core Ineligible Findings: Consistently listed in the “Scope exclusions” block for Bug Bounty Programs (BBP).
Bug Fixes: Addressed issues with the “Top hackers” feature and improved Program Security page navigation.
These updates are based on user feedback and aim to enhance clarity, transparency, and streamline navigation.
AWS Security Configuration Review Pentest
Introducing the AWS Security Configuration Review pentest—an in-depth assessment designed to ensure your AWS security configurations meet industry standards like AWS CIS and NIST 800-171.
Our certified pentesters are ready to help you identify vulnerabilities and enhance compliance with best practices. This new pentest type addresses the increasing demand for robust cloud security, empowering organizations to effectively manage AWS security risks.
How to use it
Existing Customers with Premium Pentest Hours: Access the pentest scoping questionnaire within the platform, then select “AWS Security Configuration Review” as the asset type.
Prospective Customers: Contact Sales to start the process and receive a quote.
Platform Level Spend Tracker - Pentest Integration (Beta)
The Platform Level Spend Tracker now features Pentest and Bounty consumption data, providing a comprehensive view of subscription usage.
We've enhanced the Spend Tracker to include pentest consumption alongside existing data for spot checks, retests, campaigns, and bounty programs. This expanded tracker offers detailed insights into overall program consumption and subscription end dates, enabling customers to manage their resources more effectively.
How to use it
Go to Organization Settings > Spend Tracker, then switch between tabs for bounty and pentest data.
Crypto Wallet Payouts for Hackers
Hackers can now receive payouts through Coinbase Wallet or other non-Coinbase crypto wallets, eliminating the need for a Coinbase.com account.
We have migrated to Coinbase Prime, enabling direct crypto wallet payouts and removing the need for Coinbase.com accounts. Hackers using crypto payouts must be ID Verified or Clear, with additional AML checks on wallet addresses.
Coinbase Prime meets both business and regulatory requirements, removing common barriers to crypto payouts. This change provides hackers with greater flexibility in choosing their payout methods.
How to use it
Go to User Settings > Rewards and Payments > Preferences and update the payout method. Learn more in our Payment Preferences doc.
Benchmarks & Custom Cohorts
Customers can now use Benchmarks to track program performance over time, and Enterprise customers can access additional custom cohorts.
Benchmarks and Custom Cohorts allow customers to compare their performance over time against platform standards. Based on user feedback, we also added new dashboards and customization options to support better program performance tracking and reduce requests for custom reports.
You can learn more about this and other dashboards in our document.
How to use it
Go to Analytics > Dashboards and select from various dashboards for benchmark comparisons. Enterprise users can apply Custom Cohorts filters across metrics.
Leaderboard Updates
The leaderboard has been updated with several enhancements! First, you can now view rankings based on the source of reputation, with filters available for BBP, VDP, or an aggregated view of all sources. Additionally, we’ve refreshed the UI to align the leaderboard’s look and feel with the rest of our platform, giving it a more modern and cohesive appearance.
Following the Essential VDP launch and strong feedback from the community, we recognize that hackers prefer to compete in leagues with like-minded hackers. By separating the leaderboards between BBP and VDP, hackers can better compare themselves against the peers they look up to (or down upon ). This provides a more accurate view of rankings in the hacker community.
This change helps competitive-minded hackers better compare themselves to each other. For example, hackers who only hack on BBPs can now see their ranking among hackers who do the same. We still offer an All-view that combines the BBP and VDP views for a comprehensive ranking.
Pentest Credential Management
Pentest credential management is available to all pentest programs and is effective immediately!
Centralized Credential Storage: All credentials associated with a pentest are stored securely in one central location, accessible to all pentesters on the team.
Simplified Access: Pentesters can easily view and access credentials directly on the scope card of the pentest.
Self-Setup Credentials: Customers can now input credentials directly into the system, ensuring pentesters have immediate access to the necessary resources.
Post-Launch Credential Management: Customers can easily add credentials even after launching the pentest, providing greater flexibility and control.
How it Works
Customers input credentials: Customers can input credentials directly into the system during the pentest setup process.
Pentesters access credentials: Pentesters can view and access these credentials on the scope card of the pentest.
Post-launch management: Customers can manage credentials anytime by clicking the Credentials button on the scope card.
Report Submission Required Fields
Customers can now choose mandatory fields (Asset and Weaknesses) for hackers during report submission.
Some customers have expressed concern about hackers submitting reports without specifying an asset or weakness. With this change, we allow customers to make these fields mandatory for report submissions.
How to use it
You can find this new feature on /<program_name>/submission_requirements or by navigating to Program Settings > Hacker Management > Submission. Then, you can choose which field you want to be mandatory (see the screenshot).
Pentest Vulnerability Templates
We're thrilled to announce that pre-written HackerOne vulnerability templates are now available for all HackerOne pentests! Save time and streamline your reporting with the following:
Dozens of H1 templates: Covering a wide range of common weaknesses.
Auto-populated fields: Instantly fill out the Weakness and Proof of Concept sections, including the title, description, impact, and weakness details.
Easy identification: Quickly distinguish between personal and H1 vulnerability templates with unique icons.
Template recommendations: Get prompted to use an H1 template when your selected weakness matches.
Hai Sidebar and Contextual Suggestions (Open Beta)
We’ve bundled these interconnected features under the name Hai Sidebar for a more cohesive user experience. The Hai Sidebar enhances the way you interact with our platform, ensuring that Hai’s capabilities are front and center when you need them.
Key Features of Hai Sidebar
Improved Discoverability: Easily access all of Hai's capabilities.
Seamless Interactions: Enjoy smooth interactions with both the platform and Hai.
Context-Aware Conversations: Conversations automatically adjust based on the current report, providing personalized and actionable suggestions.
Who Can Access It?
Customers can now opt into the Hai Sidebar open beta and experience these enhanced features. You can enable the feature here.
