We're excited to announce that customers can now calculate Return on Mitigation (RoM) directly within the platform using Hai, helping security teams quantify and demonstrate the value of their bounty program.

We've added support for calculating RoM in our platform in three ways:

Many customers expressed interest in RoM functionality during the first demonstrations. This feature addresses that demand while showcasing our platform's advanced capabilities. By integrating RoM calculations directly into HackerOne, we're making it easier for customers to quantify and communicate the business value of their efforts.

This feature is available to all customers who have Hai enabled for their organization.

Users of the Hai completions API can now specify their play IDs as part of the completion API.

Hai Play is a feature that lets customers customize their Hai experience. It allows them to leverage specific Hai capabilities, adjust the tone of voice, add tailored instructions, or integrate specific domain knowledge into Hai’s responses. Within Hai Chat on our platform, users can easily select and apply these Hai Plays.

What’s new is that these Hai Plays are now also available through our Hai Completions API! Customers building features with our API can interact with Hai using the same Hai Plays they use on the platform, ensuring a consistent and seamless experience across all their workflows.

We now offer ROM automation templates. These automations invoke Hai but require very specific ROM-related information, which we store in a shared Hai Play.

Hai is now able to generate emails that users can review and send.

We’ve given Hai the ability to compose emails for users. Hai Chat now shows a preview of the email, allowing users to send it out with a single click of the Send button! At any point in a Hai conversation, users can ask Hai to send an email.

The email composition is contextually based on the ongoing conversation, making this feature highly flexible and adaptable to a wide range of use cases. Here are a few examples:
• After calculating the ROM score, email the report to a coworker.
• Generate a recap of all valid reports from the past week, including Hai’s analysis of the business impact, and send this report to the CISO.
• Create report insights on a newly filed report, fine-tune the contents, and send the results directly to an engineer on your team.

Super versatile! If you can talk about it with Hai, Hai can send an email about it! Like the email API endpoint, we only allow emails to be sent to users in the same organization.

Our goal is to support our users in their vulnerability elimination workflows. Often, this involves sharing important findings or insights via email—whether it’s sending an individual report or delivering value-driven reporting on request. Hai email makes it easy to share information with the right people, even if they aren’t directly engaged on the platform!

Customers that use Hai.

Currently, this email capacity has to be enabled per play. The RoM play is an example of how we’ve already enabled this tool. If the tool is enabled, users can ask Hai something like: "Send a summary of this conversation by email to user@hackerone.com," which will prompt a "compose email" interface.

Users of the API can use the /email endpoint to send emails to users within their organizations.

We’ve added the ability to send emails to fellow organization members to our formal API.

A frequently requested feature from customers using Automations is the ability to send an email. When a specific event occurs (e.g., a new critical report is received), they often want to forward it to an email address. We’ve noticed users leveraging dedicated email addresses in tools like Slack and PagerDuty to integrate events (such as new reports) into their workflows. Another key driver is that customers want to receive reporting from Hai directly via email. Whether it’s summarizing a single report or generating an overview of all important reports received last month, Hai can provide these insights and email the results straight to you (or your CISO).

With our automation features, customers can integrate their workflows deeply into our Vulnerability Elimination Workflow.

We’ve introduced some automation templates where Hai performs a specific operation and sends the results via email. One of these is our new ROM template, which generates a ROM report using Hai and sends it out through this new API endpoint. Customers can go to our automation library, find an email-based automation, and have an automation up and running! Code-savvy users can also use this API call directly in their automation code. We wrap the email contents with clear messaging, indicating that the email originates from the HackerOne platform and showing which fellow organization members sent the email.

We only allow emails to be sent to fellow organization members. This limitation exists because we’re not comfortable sending emails to any address. This limitation also means that we can not send emails to researchers, another commonly requested feature. We plan to add a “message researchers” feature to the API in the future.

These integrations simplify vulnerability management by automatically syncing HackerOne report data to ServiceNow modules. This helps customers efficiently manage, prioritize, and remediate vulnerabilities, ultimately reducing manual effort, enhancing security teams' collaboration, and streamlining security processes to minimize risk.

We’ve added one-directional VR & AVR to the existing ServiceNow Incident Management (IM) module, enhancing customer's vulnerability management workflow.

Integrating ServiceNow VR & AVR automates data exchange from HackerOne to the ServiceNow platform, eliminating manual ticket creation and ensuring real-time updates. This automation helps customers improve prioritization, reduce manual errors, and accelerate security incident responses while addressing inefficiencies and risks caused by uncoordinated data across platforms.

Enterprise customers looking to enhance their vulnerability management processes.

We updated the metadata sidebar in the inbox to make it easier for customers, triagers, and mediators to identify important information.

These updates are quality-of-life improvements for easily identifying important information about a report.

Customers, triage, and mediation.

To see the updated sidebar, go to the inbox and click on a report that is closed as a duplicate.

We've added the ability for Program Admins to include Memos in their prepayment invoices! This allows for greater self-service by customers wishing to include specialized instructions in their invoice records.

Many of our top accounts requested the ability to include memos or contact details on invoices. Manually tracking these requests was inefficient. This update streamlines the process and ensures accurate financial records.

When submitting a prepayment, simply fill out the Memo and Product Order Reference fields. The details will automatically appear on the final invoice.

We empower customers to take control of vulnerability prioritization in Findings with advanced filters, sorting, and customizable views. Users can segment reports or view all findings across the organization, enabling quick access to actionable insights and faster resolution of critical issues.

Customers faced challenges managing vulnerabilities across multiple inboxes and engagements, leading to prioritization gaps and slower resolutions. The limited search and filter options made it difficult to refine reports, and the spread of key details across multiple pages slowed decision-making. A single view lacked the flexibility needed for effective prioritization and remediation across different teams, assets, and workflows.

Customers managing multiple teams and programs can now use a single view to optimize the prioritization of vulnerability findings. Additionally, all customers can take advantage of customizable views and enhanced search functionality for more efficient management and decision-making.

We’ve added the ability for Program Admins to extend a Spot Check researcher’s report deadline! This change came bundled with a slightly updated UI, which consolidates the View Report, Contact Hacker, and Extend Deadline functionalities into a single kabob menu.

Spot Check users occasionally need to extend a researcher’s deadline. Previously, this had to be done by our engineers, but now it can be handled by Program Admins. We also have better change logging now!

Both the extension and rejection changes save a lot of time for both Engineering and program managers.

Program managers can now extend the deadline via the spot check submissions tab without additional support.
​