HackerOne

Enhanced Spot Checks functionality with editing capabilities and flexible rewards, giving customers more control and flexibility when managing their spot check campaigns.

Added key enhancements to the Spot Checks feature that provide greater flexibility and control:

Editable Spot Checks - Customers can now edit spot checks after creation to correct mistakes or add additional hackers to ongoing spot checks

Flexible Rewards - New reward flexibility allows customers to determine appropriate effort levels and compensation for their specific spot check requirements

- Editable Spot Checks - Customers can now edit spot checks after creation to correct mistakes or add additional hackers to ongoing spot checks
- Flexible Rewards - New reward flexibility allows customers to determine appropriate effort levels and compensation for their specific spot check requirements

Enterprise customers wanting more control and flexibility in managing their spot checks

Internal teams who no longer need to raise engineering tickets for spot check edits, improving operational efficiency

- Enterprise customers wanting more control and flexibility in managing their spot checks
- Internal teams who no longer need to raise engineering tickets for spot check edits, improving operational efficiency

<a href="https://docs.hackerone.com/en/articles/9064940-spot-checks">Spot checks documentation</a>

- <a href="https://docs.hackerone.com/en/articles/9064940-spot-checks">Spot checks documentation</a>

⚠️ Coming July 29: Enforced 2FA ⚠️

Protecting the data of our customers and research community is a top priority. As part of our ongoing commitment to platform security, we are making important changes to our authentication process. Starting July 29, 2025, two-factor authentication (2FA) will be required for all users not using SAML/SSO.Status: Approaching General Availability for ALL users! Customers &amp; Researchers included.

We are notifying all researchers and customers of the upcoming changes so that users can take proactive action and avoid needing to take additional steps before accessing the platform on July 29.

We’ve always offered 2FA, but this change makes 2FA mandatory for all HackerOne platform users not using SSO/SAML to sign in.

Coming July 29, 2025 - All HackerOne platform users not signing in via SSO will be required to sign in using 2FA.

We have already removed the mandatory requirement of a mobile number from the account recovery process.

Users can now recover their accounts using backup codes. If these are not available, they can <a href="http://support.hackerone.com/" rel="nofollow noopener noreferrer" target="_blank">contact the support team</a>. In this case, the user will receive a confirmation email and text message (if configured).

- Coming July 29, 2025 - All HackerOne platform users not signing in via SSO will be required to sign in using 2FA.
- We have already removed the mandatory requirement of a mobile number from the account recovery process.
- Users can now recover their accounts using backup codes. If these are not available, they can <a href="http://support.hackerone.com/" rel="nofollow noopener noreferrer" target="_blank">contact the support team</a>. In this case, the user will receive a confirmation email and text message (if configured).

This change improves overall platform integrity and brings us into alignment with the expectations of high-value, security-conscious users.

Security parity with peers: Enforced 2FA is now standard for any platform handling sensitive data. Our previous opt-in approach introduced risk.

Customer compliance: High-security orgs (e.g., UK MoD, NCSC) can’t use SSO but need robust MFA for internal compliance.

Support efficiency: Account recovery is harder when users rely on SMS or mobile-only access, especially in environments without personal devices. Platform-native 2FA offers a more dependable path.

- Security parity with peers: Enforced 2FA is now standard for any platform handling sensitive data. Our previous opt-in approach introduced risk.
- Customer compliance: High-security orgs (e.g., UK MoD, NCSC) can’t use SSO but need robust MFA for internal compliance.
- Support efficiency: Account recovery is harder when users rely on SMS or mobile-only access, especially in environments without personal devices. Platform-native 2FA offers a more dependable path.

All HackerOne platform users not signing in via SSO/SAML.

Any user can and is encouraged to configure 2FA now by following the instructions detailed <a href="https://docs.hackerone.com/en/articles/8505330-two-factor-authentication">here</a>. ​

A full collection of changes released during the month of July

July 2025 Changelog

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

July 2025 Changelog

Spot Checks Enhancements

What we did:

Who it helps:

Documentation:

⚠️ Coming July 29: Enforced 2FA ⚠️

The Change:

Why are we telling you now?

Summary:

What we are doing:

Why are we doing it:

Who it helps:

How to use it: