HackerOne programs perform testing in all different environments. What factors go into deciding which environments or assets are a good fit for the hacker-powered approach? What kinds of "blockers" have the potential to reduce hacker engagement?
Below are some considerations that can help enable testing on more difficult assets.
Hacker Access
Is the environment publicly accessible?
If not, the HackerOne Gateway VPN may be required
Do any self-sign-up flows require personal information (PII) from hackers?
Are there geo-restrictions in the application that should be considered? SMS 2FA requirements?
Feature Coverage
Is a non-prod environment an accurate representation of production?
Is test data representative of production?
Are any features that should be tested inaccessible to hackers?
If so, can identifying hacker traffic help?
Do any features require hackers to spend real money? Could this be avoided or reimbursed?
Sensitive Information
Does the environment contain sensitive information such as PII or PHI that a hacker could potentially stumble onto?
Could hacker testing possibly interfere with other types of testing or activity in the environment?