Glossary of commonly-used terms on HackerOne's platform

Updated over a week ago


Attack surfaces that hackers can hack on. There are different types such as CIDR, Domain, Source code, Executable, Hardware/loT, iOS: .ipa.

A collection of assets creates a scope.


A financial reward offered in exchange for a valid vulnerability report.

Bounty Table

A bounty table illustrates how much an organization is willing to pay for various bugs, helps set expectations for hackers, and gives the bug bounty team a guideline to ensure fair and consistent reward amounts.

Bug Bounty Program

A bug bounty offers monetary incentives for vulnerabilities and invites submissions from hackers.


Common Vulnerability Scoring System (CVSS) is the framework HackerOne utilizes to assign a severity rating to a vulnerability.


Common Weakness Enumeration (CWE) is the framework HackerOne utilizes to assign a weakness to a vulnerability.

Common Response

A saved response or template that can be applied repeatedly to reports.


The HackerOne directory is a community-curated resource for contacting an organization regarding a security vulnerability.


Someone who’s able to find vulnerabilities in information-related systems. One who enjoys the intellectual challenge of creatively overcoming limitations (Jargon File 4.4.7).


Hacktivity is the public community feed that showcases hacker activity on HackerOne.

ISO 29147

An international standard describing vulnerability coordination.

ISO 30111

An international standard describing vulnerability handling processes.


Average reputation gained per bounty.


External applications being connected and functioning in HackerOne.


Short for penetration test. It's a type of test where authorized hackers broadly test the attack surface of an application and determine whether they can find vulnerabilities in them. At HackerOne, pentests are completed by following a structured testing methodology that involves checklists that incorporate the OWASP Top 10 vulnerabilities.


A submission from a hacker that describes a potential security vulnerability.


Reputation measures how likely a hacker’s finding is to be immediately relevant and actionable.


A collection of assets that hackers are to hack on. It’s the structured data that represents the attack surface that’s included or explicitly excluded in an organization’s vulnerability disclosure or bug bounty program.


Average reputation gained per report.


Weakness of software, hardware, or online service that can be exploited.

Vulnerability Disclosure

The process by which an organization receives and disseminates information about vulnerabilities in their products or online services.

ISO 29147 definition: Process through which vendors and vulnerability finders may work cooperatively in finding solutions that reduce the risks associated with a vulnerability. It encompasses actions such as reporting, coordinating, and publishing information about a vulnerability and its resolution.


An aspect of an application that could lead to a vulnerability, but may not be exploitable in and of itself.

Did this answer your question?