Skip to main content
Pentest FAQs

Organizations: Answers to frequently asked questions about pentests

Updated this week

Note: All HackerOne Pentesters are members of the HackerOne Clear program.



My last pentest didn't find anything. How can I ensure critical vulnerabilities can be found?

The goal of HackerOne Pentests is to help meet regulatory compliance and pass vendor assessments through a structured and checklist-driven process. If your priority is finding critical vulnerabilities and you want to have as many eyes as possible on your assets, we suggest looking into our bug bounty products that can be incentivized for critical vulnerabilities.

Can I incentivize pentesters to find vulnerabilities throughout the pentest process?

Pentester compensation is fixed for each engagement to allow for a predictable total cost. If your priority is finding vulnerabilities and incentivizing testers to do so, we'd recommend looking into our bug bounty products.

Can pentesters test for apps that require specialization?

It depends on the specialization you're looking for. We have pentesters with experience in web, mobile, API, and external network/infra testing. As part of the pentest process, we ask customers to go through a scoping questionnaire to help inform our team on specific testing requirements.

We want to avoid the possibility of finding a high number of vulnerabilities that could cause our bounty pool to balloon. What can we do to avoid that?

The HackerOne Pentest is set at a fixed cost. Given there are no bounties, and pentesters are compensated for their effort and time, the total cost is 100% fixed and predictable.

Is retesting included? How much is it to add?

There is a 60-day window to initiate two retests per report at no additional cost. Retesting is handled by the pentest team to ensure accuracy and consistency.

Are these pentests conducted by HackerOne staff or are they crowdsourced?

Pentesters are not HackerOne employees. Tests are conducted by our community. We have identified in our community those with existing professional pentesting experience.

We're looking for something that indicates that we had the assessment done and the application status at the end of the assessment retest period, without the details for issues that were identified and corrected. Can you produce an abridged version with that information?

Yes, we offer a letter of attestation for our pentest assessments.

I'm frustrated with traditional pentest firms including out-of-scope or insignificant vulnerabilities in reports. We have to explain these to customers and leadership all the time. Will the HackerOne pentest be different?

Pentesters look for coverage of the scope rather than just focusing on impactful vulnerabilities as in a bug bounty program. Pentest best practices call for low and informative vulnerabilities to be reported. OWASP guidelines are followed by pentesters in web and mobile applications.
HackerOne's bug bounty offerings may be more suitable for you if your priority is to find the most impactful and critical bugs.

Did this answer your question?