Skip to main content

July 2025 Changelog

A full collection of changes released during the month of July

Updated this week

Stripe Integration Update

We’ve officially launched the new Stripe payment flow to GA. This completes our phased rollout of the new Stripe integration for customers to migrate to as they update/enter new credit card details for reward payments.

What we did:

We enabled the new Stripe payment flow. The legacy flow is still active, so no reward payouts will fail as a result of this change, but this allows any customer updating their credit card details to migrate to the new flow. Due to regulatory constraints, a small number of customers who use Indian credit card providers will temporarily remain on the old workflow.

Why we did it:

The old workflow is heading towards deprecation. This update aligns us with Stripe’s long-term roadmap, improves customer experience, and reduces Finance’s manual workload.

Who it helps:

Customers using credit cards on our platform will now benefit from improved payment reliability. Internal teams gain from reduced maintenance overhead and stronger compliance alignment. Customers will notice a smoother, more consistent experience.

How to use it:

The new flow is now available for all customers. Once a customer updates their credit card details in the platform, all of their card-based transactions will use the updated workflow. Customers can update their credit card details by:

  • Go to the program against which the credit card is connected

  • Select Billing

  • Select Credit cards

  • Enter your credit card details and press Submit.

This is a quick, one-time step that ensures uninterrupted service.

What’s next:

We’ll work towards decommissioning the legacy code later in the year.

📢 Effective today, July 29: Mandatory 2FA for all HackerOne Platform users

What we did:

Protecting the data of our customers and research community is a top priority. As part of our ongoing commitment to platform security, two-factor authentication (2FA) is now required for all HackerOne platform users who do not sign in via SAML/SSO.

What’s happening:

Starting today, July 29, 2025, 2FA is mandatory for all users not authenticating via SSO. This ensures stronger protection across the platform and aligns with industry security standards.

What’s already been done:

  • We’ve removed the requirement for a mobile number in account recovery.

  • Users can now recover accounts using backup codes.

  • If those are unavailable, users can contact support. In such cases, confirmation is sent via email and, if configured, via text message.

Why we did it:

  • Improved Security: Enforced 2FA significantly reduces the risk of account compromise.

  • Peer Parity: This aligns with standard practices for platforms managing sensitive data.

  • Customer Compliance: Especially important for high-security customers who don’t use SSO but require strong MFA.

  • Better Support Experience: Recovery is easier and more secure with platform-native 2FA rather than relying on SMS or mobile-only access.

Who’s affected:

All platform users who sign in without SSO/SAML. This should impact all Researchers.

What to do:

If they haven’t already, they will need to enable 2FA immediately by following the instructions at login.

Need help?

✨ New Look, Same Platform ✨

Our platform just got a visual refresh!

During Hackweek, we brought our product in line with the updated H1 brand revealed at Empower. The most noticeable change? Dark mode. Gone is the harsh black—now it features a deep navy base, cooler grays, and softer contrast for a more refined, modern feel.

Light mode also got a touch-up, with subtle adjustments that make the interface feel cleaner and more cohesive across the board.

This update improves readability, reduces eye strain, and sets the stage for a more consistent and scalable design system going forward.

What we did:

  • Refreshed light and dark mode color palettes

  • Removed outdated elements like green daisy buttons

  • Smoothed out elevations on cards and panels

  • Added borders to tables for better clarity

Why we did it:

  • Reinforces a consistent, trustworthy brand experience

  • Makes the platform more comfortable to use

  • Lays the groundwork for future design improvements

How it works:

It’s live now! Check out the changes by logging in, and explore dark mode by either:

  • Hitting Command + K and selecting Themes, or

  • Going to User settings > Platform preferences

Spot Checks Enhancements

Enhanced Spot Checks functionality with editing capabilities and flexible rewards, giving customers more control and flexibility when managing their spot check campaigns.

What we did:

Added key enhancements to the Spot Checks feature that provide greater flexibility and control:

  • Editable Spot Checks - Customers can now edit spot checks after creation to correct mistakes or add additional hackers to ongoing spot checks

  • Flexible Rewards - New reward flexibility allows customers to determine appropriate effort levels and compensation for their specific spot check requirements

Who it helps:

  • Enterprise customers wanting more control and flexibility in managing their spot checks

  • Internal teams who no longer need to raise engineering tickets for spot check edits, improving operational efficiency

Documentation:

⚠️ Coming July 29: Enforced 2FA ⚠️

The Change:

Protecting the data of our customers and research community is a top priority. As part of our ongoing commitment to platform security, we are making important changes to our authentication process. Starting July 29, 2025, two-factor authentication (2FA) will be required for all users not using SAML/SSO.Status: Approaching General Availability for ALL users! Customers & Researchers included.

Why are we telling you now?

We are notifying all researchers and customers of the upcoming changes so that users can take proactive action and avoid needing to take additional steps before accessing the platform on July 29.

Summary:

We’ve always offered 2FA, but this change makes 2FA mandatory for all HackerOne platform users not using SSO/SAML to sign in.

What we are doing:

  • Coming July 29, 2025 - All HackerOne platform users not signing in via SSO will be required to sign in using 2FA.

  • We have already removed the mandatory requirement of a mobile number from the account recovery process.

  • Users can now recover their accounts using backup codes. If these are not available, they can contact the support team. In this case, the user will receive a confirmation email and text message (if configured).

Why are we doing it:

This change improves overall platform integrity and brings us into alignment with the expectations of high-value, security-conscious users.

  • Security parity with peers: Enforced 2FA is now standard for any platform handling sensitive data. Our previous opt-in approach introduced risk.

  • Customer compliance: High-security orgs (e.g., UK MoD, NCSC) can’t use SSO but need robust MFA for internal compliance.

  • Support efficiency: Account recovery is harder when users rely on SMS or mobile-only access, especially in environments without personal devices. Platform-native 2FA offers a more dependable path.

Who it helps:

All HackerOne platform users not signing in via SSO/SAML.

How to use it:

Any user can and is encouraged to configure 2FA now by following the instructions detailed here.

Did this answer your question?