Authenticated Testing

Providing the proper access for authenticated testing

Updated over a week ago
  • HackerOne recommends providing credentials and contextual information to hackers wherever possible

    • HackerOne recommends offering elevated rewards for unauthenticated vulnerability findings

  • The HackerOne platform includes a secure credential management feature that allows customers to quickly upload multiple sets of credentials

    • Includes the ability to provision multiple roles

      • Essential for PrivEsc, IDOR, broken authentication, data segregation testing, etc.

    • Hackers can claim credentials in the platform and immediately proceed with testing

Enabling Unauthenticated Testing

  • Many HackerOne programs are interested in finding unauthenticated vulnerabilities as they can be exceptionally severe

  • HackerOne recommends specifying an elevated reward level for unauthenticated vulnerabilities within either the bounty table or the policy

    • Be sure to provide clarity in your policy on what unauthenticated vulnerabilities are eligible for the elevated reward level

Did this answer your question?