Skip to main content
Scoping Considerations

Organizations: Considerations that can help enable testing on more difficult assets

Updated this week

HackerOne programs perform testing in all different environments. What factors go into deciding which environment or assets are a good fit for the hacker-powered approach? What kinds of "blockers" have the potential to reduce hacker engagement?

Below are some considerations that can help enable testing on more difficult assets.

Hacker Access

  • Is the environment publicly accessible?

  • Do any self-sign-up flows require personal information (PII) from hackers?

  • Are there geo-restrictions in the application to consider? SMS 2FA requirements?

Feature Coverage

  • Is a non-prod environment an accurate representation of production?

    • Is test data representative of production?

  • Are any features that should be tested inaccessible to hackers?

  • Do any features require hackers to spend real money? Could this be avoided or reimbursed?

Sensitive Information

  • Does the environment contain sensitive information such as PII or PHI that a hacker could potentially stumble onto?

  • Could hacker testing possibly interfere with other types of testing or activity in the environment?

Did this answer your question?