Skip to main content
All CollectionsChangelog
February 2025 Changelog
February 2025 Changelog

A full collection of changes released during the month of February

Updated over 2 weeks ago

Return on Mitigation (RoM) Calculations via Hai (Beta)

We're excited to announce that customers can now calculate Return on Mitigation (RoM) directly within the platform using Hai, helping security teams quantify and demonstrate the value of their bounty program.

What we did:

We've added support for calculating RoM in our platform in three ways:

  1. Report-Level RoM Calculation: Once a report receives a bounty, a RoM banner will appear at the top of the report. Users can click this banner to launch Hai and generate an immediate RoM calculation for the specific vulnerability.

  2. Severity-Based Automation: We've added a template to our automation store that automatically calculates RoM for high and critical severity reports. Results can be posted as internal comments or stored in custom fields, making this data readily accessible for reporting.

  3. Scheduled RoM Reporting: This new automation template can calculate RoM based on a specified time period (7 or 30 days) and email the results directly to you or your leadership team. This scheduled delivery ensures you consistently have up-to-date data on your program's value.

Why we did it:

Many customers expressed interest in RoM functionality during the first demonstrations. This feature addresses that demand while showcasing our platform's advanced capabilities. By integrating RoM calculations directly into HackerOne, we're making it easier for customers to quantify and communicate the business value of their efforts.

Who it helps:

This feature is available to all customers who have Hai enabled for their organization.

Hai Play Support for Hai Completions API

Users of the Hai completions API can now specify their play IDs as part of the completion API.

What we did:

Hai Play is a feature that lets customers customize their Hai experience. It allows them to leverage specific Hai capabilities, adjust the tone of voice, add tailored instructions, or integrate specific domain knowledge into Hai’s responses. Within Hai Chat on our platform, users can easily select and apply these Hai Plays.

What’s new is that these Hai Plays are now also available through our Hai Completions API! Customers building features with our API can interact with Hai using the same Hai Plays they use on the platform, ensuring a consistent and seamless experience across all their workflows.

Why we did it:

We now offer ROM automation templates. These automations invoke Hai but require very specific ROM-related information, which we store in a shared Hai Play.

Hai Sending Emails

Hai is now able to generate emails that users can review and send.

What we did:

We’ve given Hai the ability to compose emails for users. Hai Chat now shows a preview of the email, allowing users to send it out with a single click of the Send button! At any point in a Hai conversation, users can ask Hai to send an email.

The email composition is contextually based on the ongoing conversation, making this feature highly flexible and adaptable to a wide range of use cases. Here are a few examples:
After calculating the ROM score, email the report to a coworker.
Generate a recap of all valid reports from the past week, including Hai’s analysis of the business impact, and send this report to the CISO.
Create report insights on a newly filed report, fine-tune the contents, and send the results directly to an engineer on your team.

Super versatile! If you can talk about it with Hai, Hai can send an email about it! Like the email API endpoint, we only allow emails to be sent to users in the same organization.

Why we did it:

Our goal is to support our users in their vulnerability elimination workflows. Often, this involves sharing important findings or insights via email—whether it’s sending an individual report or delivering value-driven reporting on request. Hai email makes it easy to share information with the right people, even if they aren’t directly engaged on the platform!

Who it helps:

Customers that use Hai.

How to use it:

Currently, this email capacity has to be enabled per play. The RoM play is an example of how we’ve already enabled this tool. If the tool is enabled, users can ask Hai something like: "Send a summary of this conversation by email to user@hackerone.com," which will prompt a "compose email" interface.

Email a Fellow Organization Member via the API

Users of the API can use the /email endpoint to send emails to users within their organizations.

What we did:

We’ve added the ability to send emails to fellow organization members to our formal API.

Why we did it:

A frequently requested feature from customers using Automations is the ability to send an email. When a specific event occurs (e.g., a new critical report is received), they often want to forward it to an email address. We’ve noticed users leveraging dedicated email addresses in tools like Slack and PagerDuty to integrate events (such as new reports) into their workflows. Another key driver is that customers want to receive reporting from Hai directly via email. Whether it’s summarizing a single report or generating an overview of all important reports received last month, Hai can provide these insights and email the results straight to you (or your CISO).

Who it helps:

With our automation features, customers can integrate their workflows deeply into our Vulnerability Elimination Workflow.

How to use it:

We’ve introduced some automation templates where Hai performs a specific operation and sends the results via email. One of these is our new ROM template, which generates a ROM report using Hai and sends it out through this new API endpoint. Customers can go to our automation library, find an email-based automation, and have an automation up and running! Code-savvy users can also use this API call directly in their automation code. We wrap the email contents with clear messaging, indicating that the email originates from the HackerOne platform and showing which fellow organization members sent the email.

Additional info:

We only allow emails to be sent to fellow organization members. This limitation exists because we’re not comfortable sending emails to any address. This limitation also means that we can not send emails to researchers, another commonly requested feature. We plan to add a “message researchers” feature to the API in the future.

ServiceNow Vulnerability Response (VR) & Application Vulnerability Response (AVR) Integrations

These integrations simplify vulnerability management by automatically syncing HackerOne report data to ServiceNow modules. This helps customers efficiently manage, prioritize, and remediate vulnerabilities, ultimately reducing manual effort, enhancing security teams' collaboration, and streamlining security processes to minimize risk.

What we did:

We’ve added one-directional VR & AVR to the existing ServiceNow Incident Management (IM) module, enhancing customer's vulnerability management workflow.

Why we did it:

Integrating ServiceNow VR & AVR automates data exchange from HackerOne to the ServiceNow platform, eliminating manual ticket creation and ensuring real-time updates. This automation helps customers improve prioritization, reduce manual errors, and accelerate security incident responses while addressing inefficiencies and risks caused by uncoordinated data across platforms.

Who it helps:

Enterprise customers looking to enhance their vulnerability management processes.

Inbox Metadata Sidebar Update

We updated the metadata sidebar in the inbox to make it easier for customers, triagers, and mediators to identify important information.

What we did:

  • On duplicated reports, there is currently metadata about the parent report (such as ID and date submitted). As an improvement, we also added the full duplicate report title (once a report is closed in the state of "duplicate," if the user has appropriate access, and only for reports going forward).

  • We made visual improvements to make the sidebar more legible, including moving from a 2-column layout to a 1-column layout, adding missing labels, and updating buttons.

Why we did it:

These updates are quality-of-life improvements for easily identifying important information about a report.

Who it helps:

Customers, triage, and mediation.

How to use it:

To see the updated sidebar, go to the inbox and click on a report that is closed as a duplicate.

Enhanced Prepayment Invoice Customization

We've added the ability for Program Admins to include Memos in their prepayment invoices! This allows for greater self-service by customers wishing to include specialized instructions in their invoice records.

What we did:

  • Added a Memo field to the prepayment form.

  • Renamed Reference to Purchase Order Reference for clarity.

  • Ensured both fields reflect on the final PDF invoice.

Why we did it:

Many of our top accounts requested the ability to include memos or contact details on invoices. Manually tracking these requests was inefficient. This update streamlines the process and ensures accurate financial records.

Who it helps:

  • Customers who need to add custom details to invoices.

  • Finance teams that require clear documentation.

  • Our internal billing team by reducing manual workload.

How to use it:

When submitting a prepayment, simply fill out the Memo and Product Order Reference fields. The details will automatically appear on the final invoice.

Findings - Open Beta

Summary

We empower customers to take control of vulnerability prioritization in Findings with advanced filters, sorting, and customizable views. Users can segment reports or view all findings across the organization, enabling quick access to actionable insights and faster resolution of critical issues.

What we did:

  • We created a centralized view to help users quickly identify and prioritize urgent reports across all engagements, assets, and teams.

  • Added advanced search capabilities and customizable display options to streamline the process, allowing for precise filtering, tailored views, and better visibility into vulnerability status.

  • Introduced boards to save and manage multiple report views for easier prioritization and remediation.

Why we did it:

Customers faced challenges managing vulnerabilities across multiple inboxes and engagements, leading to prioritization gaps and slower resolutions. The limited search and filter options made it difficult to refine reports, and the spread of key details across multiple pages slowed decision-making. A single view lacked the flexibility needed for effective prioritization and remediation across different teams, assets, and workflows.

Who it helps:

Customers managing multiple teams and programs can now use a single view to optimize the prioritization of vulnerability findings. Additionally, all customers can take advantage of customizable views and enhanced search functionality for more efficient management and decision-making.

New Spot Check Features!

Summary:

We’ve added the ability for Program Admins to extend a Spot Check researcher’s report deadline! This change came bundled with a slightly updated UI, which consolidates the View Report, Contact Hacker, and Extend Deadline functionalities into a single kabob menu.

What we did:

  • Extend Deadline Option: Program Admins can now extend a researcher's deadline for Spot Checks if they’ve accepted but haven’t submitted their report. Click the kabob menu and select Extend deadline to add 7 days. This action can be repeated indefinitely, even after the deadline has passed.

  • Updated Submissions Tab: The Contact button for each researcher in the submissions table has been moved to a new kabob menu. This menu also includes options to view submitted reports and extend deadlines.

Why we did it:

Spot Check users occasionally need to extend a researcher’s deadline. Previously, this had to be done by our engineers, but now it can be handled by Program Admins. We also have better change logging now!


Both the extension and rejection changes save a lot of time for both Engineering and program managers.

Who it helps:

Program managers can now extend the deadline via the spot check submissions tab without additional support.

Did this answer your question?