Scoping Considerations

Considerations that can help enable testing on more difficult assets

Updated over a week ago

HackerOne programs perform testing in all different environments. What factors go into deciding which environment or assets are a good fit for the hacker-powered approach? What kinds of "blockers" have the potential to reduce hacker engagement?

Below are some considerations that can help enable testing on more difficult assets.

Hacker Access

  • Is the environment publicly accessible?

  • Do any self-sign-up flows require personal information (PII) from hackers?

  • Are there geo-restrictions in the application to consider? SMS 2FA requirements?

Feature Coverage

  • Is a non-prod environment an accurate representation of production?

    • Is test data representative of production?

  • Are any features that should be tested inaccessible to hackers?

  • Do any features require hackers to spend real money? Could this be avoided or reimbursed?

Sensitive Information

  • Does the environment contain sensitive information such as PII or PHI that a hacker could potentially stumble onto?

  • Could hacker testing possibly interfere with other types of testing or activity in the environment?

Did this answer your question?