Customers are now able to segment reports by teams, business units, and/or assets with the use of Custom Inboxes! Organizational administrators can create up to 300 collections of reports supporting customers' organizational structure and workflow needs.
Furthermore, we will be introducing Inbox API to allow our customers to automate report allocation from an engagement inbox to a custom inbox of their choosing.
How to use it: Request access from your HackerOne CSM, then head over to Organization Settings > Inboxes to create a new Custom Inbox.
Increased searching and filtering capabilities take Hacktivity to the next level.
Enhanced search capabilities: filter by reporter, program, report states, disclosed dates, and much more;
Enormous performance improvements and more stability.
Go beyond by writing your own custom Elasticsearch queries to find the exact items you want
Reminders On "Needs More Info" Reports
When a report is in a "Needs more info" state for longer than 30 days without a response from the hacker, it's automatically closed. It is beneficial for both hacker and customer and generally a good practice to follow up on these reports before they are auto-closed. Doing this manually would be a huge undertaking, and hard to track.
Now, for reports in the "Needs more info" state, an automatic reminder will be posted every 7 days reminding the hacker the report is waiting for their input.
IDv/Clear In-Platform Click-Thru Rules of Engagement
We expect IDv/Clear In-Platform Click-Thru Rules of Engagement to help Hackers by simplifying their onboarding process.
Quality of Life Improvement: System Triggers
System triggers can only be turned on and off from the program settings, but not edited. Each program can still create and edit their own custom triggers, in a separate tab. Next to it, we're releasing some internal changes to expand the functionality and increase the number of system triggers.
Our goal is to reduce the noise from non-interesting reports and automate parts of the response process that should become easier and faster (fewer of these reports, and handled faster).
Quality of Life Improvement: Pentest Scoping Questionnaire
The pentest scoping questionnaire now contains a direct link to "View all HackerOne Pentest methodologies."
Prospects and customers can view a PDF of available H1P Methodologies as they scope their pentest. The document showcases the methodologies HackerOne pentesters follow throughout the pentest and demonstrates how HackerOne assesses the effort required to perform the engagements.
Exploit Prediction Scoring System (EPSS)
Exploit Prediction Scoring System (EPSS) is a new industry standard that provides a live measure of exploitability for any given CVE. Similar to CVSS, EPSS is published by FIRST.org. An EPSS score estimates the probability of observing in-the-wild exploitation attempts against that vulnerability in the next 30 days. This new feature integrates EPSS into the existing CVE Discovery page. Additionally, when viewing a CVE anywhere on the platform, you can see the most recent EPSS score.
Customers can now combine well-known CVSS ratings with EPSS and HackerOne’s platform intelligence, gaining a significant information advantage in the remediation of CVEs. This advantage allows enterprises to prioritize remediation efforts more effectively and establish risk-aligned remediation SLAs.
Quality of Life Improvement: Analytics Dashboard
Persistent Date and Interval Selections
Date and interval selections will stay as they are while navigating between dashboards without resetting them.
We've also updated chart language, added tooltips, and reconfigured some visualizations to help you better understand your data.
Remove Hackers without Banning
This feature allows customers to self-service and fully manage (invite and remove) hackers from a single place. Customers using this feature will be able to remove hackers without banning them. This will leave the door open for them to rejoin in the future.
For hackers, this feature makes sure that you're informed about why the program decided to take such action, reducing friction and transparency.
To use the Remove Hacker feature:
Go to Program Settings and select the Invitations option on the side menu
Under the Hackers in your program section, click on the Delete icon next to the hacker's name
Select a reason or type your own
Click the remove button
Using AI, we assess the researcher activity and report submissions from the previous 6 months as well as bounty amounts from other programs to calculate the competitiveness percentage. This provides guidance on the potential success of the bounty amount and attracts a wider pool of researchers.
How to use it: Program managers can view the competitiveness score next to the bounty tables view under Program and adjust the bounty amounts accordingly to boost the score.
Date & Time Standards
We have unified the Date-time presentation across the platform after receiving feedback from our hackers and customers.
Report Collaborators via the Customer API
Report Collaborators via the Customer API helps customers who want to manage hacker contributions outside our platform, increasing the visibility of Hackers who worked together on a Report.
To use Report Collaborators via the Customer API, follow the API integration instructions defined on https://api.hackerone.com/.
Improved Leaderboards for Live Hacking Events (LHEs)
We introduced changes to the Live Hacking Event Leaderboards system to address concerns regarding calculation accuracy and fairness to collaborators. These changes currently impact LHEs, but will gradually be adopted platform-wide.
Hacker Quality of Life Improvements
Count duplicated reports as valid reports for hacker-matching
We started to count duplicated reports as valid reports, in which the original report has a “resolved/triaged/retesting” state.
Delay in typing minimum bounty amounts on Opportunity Discovery
Entering numbers, like '20,' used to have a delay issue where you had to wait a second before inputting the second digit. This is now resolved.
Collaboration Invitation stayed open after joining the report
We fixed an issue where collaboration invitations that could not be accepted because the collaborator had already joined the report.
Invitations expire while hackers are on vacation
We made a very quick and easy improvement here. Invitation links are available for 2 weeks now instead of 7 days.
Program Feature Toggling Via Intercom Messages
What's it for? This feature allows users to enable and disable new features for their programs directly from Intercom messages. This will give us more flexibility to test out beta features with a broader group!
How to use it? You can opt-in directly from the Intercom message (e.g. “Announcing Triage Scope Instructions”) — scroll down until you see “Click here to opt in” and follow the prompt! PS. users will have to type the program handle correctly and it will take up to ten minutes to activate the feature.
Report Assignment Across Inboxes
When using custom inboxes, we now allow reports to be assigned to any user that can view the report, not just the users that are a member of the program the report was submitted to, as well as allowing users to assign reports from a custom inbox.
This means users can now use the assign-to functionality across their entire organization, allowing them to more effectively manage their workflows.
Compliance supports customers in obtaining Hacker traffic data for their Gateway V2 program, aiding in incident investigation, providing evidence of hacker activity, and facilitating AI/ML projects. In this release, data access is limited to two forms:
Download program traffic logs for a specific date instantly in a single NDJSON file (one date per request, but multiple requests allowed).
Upon CSM request, set up near real-time (5-10 minutes) log push of NDJSON files to the customer's chosen cloud storage.