Coordinated Vulnerability Disclosure (CVD) Declaration
Programs can now explicitly declare their stance on Coordinated Vulnerability Disclosure (CVD), ensuring security researchers have clear and immediate visibility into how disclosures are managed.
What we did:
We introduced a new declaration that allows programs to define their approach to CVD. This declared stance is now displayed on the program’s Security page for security researchers.
Why we did it:
Disclosure guidelines are often buried within the Security page text or may be absent altogether. By introducing a standardized declaration, we provide a clearer and more structured way for programs to communicate their disclosure policies to security researchers.
Who it helps:
Customers: Enables them to clearly define and communicate their disclosure policies.
Security Researchers: Provides essential disclosure guideline information, helping them make informed decisions when reporting vulnerabilities.
Recommendations
Recommendations are designed to empower our customers to optimize their programs, enhance security posture, and maximize platform value. This release utilizes 20 trigger conditions to surface personalized recommendations for customers on their HackerOne Home Page that they can view and interact with.
What we did:
Based on feedback from the beta, we updated the UI to help customers view more information and consume the data connected to the recommendation more easily. Additionally, we extended the recommendation triggers from 3 to 20 to provide even more data-backed recommendations to customers.
Why we did it:
Recommendations aim to help customers utilize our platform to make:
Effortless program improvement through personalized recommendations without the need for manual analysis.
Make data-driven decisions and leverage insights from benchmarks and their program data.
Enhance customer security posture proactively, identify vulnerabilities, and improve their overall security posture.
Maximize customer investment by unlocking the full potential of HackerOne and optimize their program effectiveness.
Who it helps:
All BBP customers can view and interact with the data-backed recommendations relevant to their programs.
How to use it:
Go to the Home page and select Take action against a specific recommendation to view more information, or select Review all to see all information relating to the various applicable recommendations in one place. In the expanded view, customers can:
Review each recommendation per program within their organization
View more details and data about each recommendation
Review the recommended actions that could be taken and, where relevant, select actions that the customer wishes to take
The customer can dismiss the recommendation by pressing the Dismiss button to remove it from view.
Provide feedback with the thumbs up and thumbs down icons on each of the Actions to consider which will help us tailor our recommendations in the future.
Invite Preferences & Private Opportunities
Invite preferences enable programs to specify what type of hackers they are looking for, and allow hackers to join programs directly without waiting for an invitation. Additionally, hackers are given a range of programs to choose from.
What we did:
Customers can now proactively list their private program. This can be configured using the Invite preferences in program settings. Once a customer lists their private program, eligible hackers will be able to join through the Opportunities page (beta).
Why we did it:
Hackers have indicated a desire for more proactive and equitable engagement opportunities in our programs. Our mission is to democratize the participation process in our programs, making it more inclusive and engaging for a diverse group of hackers. This will also allow customers to be more precise in their requirements for which hackers and security researchers can join their program.
Who it helps:
Professional or enterprise customers that operate private programs and hackers who would like to proactively engage with those programs.
Platform Spend Tracker
We're excited to announce the Platform Spend Tracker, designed to give customers a clear window into their HackerOne spending across all programs! This allows customers to dive deep into insights about bounty spending, pentest hours, and Challenge rewards, empowering them to optimize their program planning. It ensures that resources are allocated efficiently while avoiding the unexpected—making the whole process smoother and more predictable! We then added a new Home page widget to provide customers with a clear overview of spend and the ability to access the full feature quickly.
What we did:
We've built seamless views for customers within the platform, both on the main Spend Tracker page and with a new Home page widget, ensuring transparency.
Why we did it:
Before the Spend Tracker, accessing real-time information about rewards/hours spent versus entitlement was challenging for our customers. Many expressed the need for this invaluable information to enhance their program planning and future spending with HackerOne.
Who it helps:
The Spend Tracker empowers customers to understand their spending against entitlements, enabling data-driven decisions. It also supports CSMs by directing customers to our platform for insights rather than relying on exports that need to be provided to them manually.
How to use it:
Customers can access the Spend Tracker in two easy ways: get a quick overview from the Homepage or dive deeper into our main Spend Tracker page.
Go to Organization Settings -> Spend Tracker
Visit Home and check the Organization Spend Tracker overview section, then click on View Details for the full Spend Tracker experience.
Use the tabs to switch between the bounty (also including Campaigns, Spot Checks, Code Reviews, and retests), pentest, and challenge information.
Major Hai RAG System Updates!
We've rolled out some major improvements to Hai's RAG (retrieval-augmented generation) system to save you time and boost Hai's accuracy:
Image Metadata Extraction (Beta):
Hai now reads text, URLs, PII, and more from image attachments.
Example: Automatically summarize reports with screenshots or ask Hai if attachments contain PII.
Richer Report Metadata
Added fields like severity, state, scope, weaknesses, and bounty amount for better insights.
Program Metadata:
Added policies, triage notes, and templates for smarter program recommendations.
Better Actor Tracking: Hai is better able to discern the actor of an activity, including whether it was originally authored by a triage analyst (even if a user is no longer an analyst).
Multi-Team Support: Load and manage context about multiple teams.
Improved CVE/CWE context
More context = smarter insights. Try it out, and let us know how it's working for you!
Benchmarking Custom Cohorts for Professional Tier
After the successful GA release of Benchmarks to all customers and Custom Cohorts to Enterprise customers in October 2024, we have now updated the packaging for Professional customers to include the Custom Cohorts feature!
What we did:
The Custom Cohorts feature of Benchmarks has been opened up to all customers.
Why we did it:
While we had made Custom Cohorts accessible to CSMs for all of their customers, we wanted to make a further impact by changing the tier packages to help empower more customers with this feature and reduce reliance on CSMs for custom cohort data.
Who it helps:
Benchmarks and Custom Cohorts will help all customers better understand their program's performance over time, both in relation to their past results and those of others on the platform. Users can set custom benchmark filters for deeper analysis, making data-driven decisions easier. This will also reduce the number of custom report requests to CSMs.
How to use it:
To use Benchmarks, the customers can navigate to Analytics > Dashboards > [select the Submissions Dashboard or Response Efficiency Dashboard] to view the Benchmarks against various dashboards mentioned below. To use Bounty table benchmarking, go to the Engagement level Dashboard > Bounty table benchmarking.
To use Custom Cohorts, navigate to Analytics > Dashboards. View the general benchmark or create your custom cohort:
Click on a chart with the Explore button in the top right of the chart.
Scroll down to the Benchmarks section of the page and click Add benchmark.
Name the benchmark, select measurement, and choose a color for the line on the chart. Filters can be added by clicking Add filter. Filters include:
Industry
Organization size
# of employees
Submission severity
Public vs. private programs
Performance percentile.
To finish, click Save.
Customers can then use Custom Cohorts on the following:
Submissions chart
Response Efficiency dashboard
Webhooks for Professional Customers
Webhooks allow professional customers to create real-time integrations between the HackerOne platform and tools of their choice.
What We Did:
In response to customer demand, we enabled Professional customers, in addition to Enterprise Customers, to integrate with the HackerOne platform in a way that fits their business needs. Professional customers can now choose report and program events to subscribe to for each engagement. These include:
Update an external issue tracker
Trigger a notification system
Update a report’s data backup
Trigger provisioning for a user account
Why We Did It:
The expansion reduces manual effort for Professional customers and, therefore, improves time-to-action for vulnerability handling. It enables customers to manage vulnerabilities more efficiently within their existing workflows, ultimately improving their overall experience.