All Collections
October 2023 Changelog
October 2023 Changelog

A full collection of changes released during the month of October

Updated over a week ago

Custom Inboxes

General Availability for Enterprise Customers

Customers are now able to segment reports by teams, business units, and/or assets with the use of Custom Inboxes! Organizational administrators can create up to 300 collections of reports supporting customers' organizational structure and workflow needs.

Furthermore, we will be introducing Inbox API to allow our customers to automate report allocation from an engagement inbox to a custom inbox of their choosing.

How to use it: Request access from your HackerOne CSM, then head over to Organization Settings > Inboxes to create a new Custom Inbox.

Hacktivity Revamp

Increased searching and filtering capabilities take Hacktivity to the next level.

  • Enhanced search capabilities: filter by reporter, program, report states, disclosed dates, and much more;

  • Enormous performance improvements and more stability.

  • Go beyond by writing your own custom Elasticsearch queries to find the exact items you want

Reminders On "Needs More Info" Reports

When a report is in a "Needs more info" state for longer than 30 days without a response from the hacker, it's automatically closed. It is beneficial for both hacker and customer and generally a good practice to follow up on these reports before they are auto-closed. Doing this manually would be a huge undertaking, and hard to track.

Now, for reports in the "Needs more info" state, an automatic reminder will be posted every 7 days reminding the hacker the report is waiting for their input.

IDv/Clear In-Platform Click-Thru Rules of Engagement

We expect IDv/Clear In-Platform Click-Thru Rules of Engagement to help Hackers by simplifying their onboarding process.

Quality of Life Improvement: System Triggers

System triggers can only be turned on and off from the program settings, but not edited. Each program can still create and edit their own custom triggers, in a separate tab. Next to it, we're releasing some internal changes to expand the functionality and increase the number of system triggers.

Our goal is to reduce the noise from non-interesting reports and automate parts of the response process that should become easier and faster (fewer of these reports, and handled faster).

Quality of Life Improvement: Pentest Scoping Questionnaire

The pentest scoping questionnaire now contains a direct link to "View all HackerOne Pentest methodologies."

Prospects and customers can view a PDF of available H1P Methodologies as they scope their pentest. The document showcases the methodologies HackerOne pentesters follow throughout the pentest and demonstrates how HackerOne assesses the effort required to perform the engagements.

Exploit Prediction Scoring System (EPSS)

Exploit Prediction Scoring System (EPSS) is a new industry standard that provides a live measure of exploitability for any given CVE. Similar to CVSS, EPSS is published by An EPSS score estimates the probability of observing in-the-wild exploitation attempts against that vulnerability in the next 30 days. This new feature integrates EPSS into the existing CVE Discovery page. Additionally, when viewing a CVE anywhere on the platform, you can see the most recent EPSS score.

Customers can now combine well-known CVSS ratings with EPSS and HackerOne’s platform intelligence, gaining a significant information advantage in the remediation of CVEs. This advantage allows enterprises to prioritize remediation efforts more effectively and establish risk-aligned remediation SLAs.

Quality of Life Improvement: Analytics Dashboard

Persistent Date and Interval Selections

Date and interval selections will stay as they are while navigating between dashboards without resetting them.

We've also updated chart language, added tooltips, and reconfigured some visualizations to help you better understand your data.

Remove Hackers without Banning

Available to all Private Bug Bounty programs and Private VDPs

This feature allows customers to self-service and fully manage (invite and remove) hackers from a single place. Customers using this feature will be able to remove hackers without banning them. This will leave the door open for them to rejoin in the future.

For hackers, this feature makes sure that you're informed about why the program decided to take such action, reducing friction and transparency.

To use the Remove Hacker feature:

  1. Go to Program Settings and select the Invitations option on the side menu

  2. Under the Hackers in your program section, click on the Delete icon next to the hacker's name

  3. Select a reason or type your own

  4. Click the remove button

Bounty Competitiveness

Using AI, we assess the researcher activity and report submissions from the previous 6 months as well as bounty amounts from other programs to calculate the competitiveness percentage. This provides guidance on the potential success of the bounty amount and attracts a wider pool of researchers.

How to use it: Program managers can view the competitiveness score next to the bounty tables view under Program and adjust the bounty amounts accordingly to boost the score.

bounty competitiveness

Date & Time Standards

We have unified the Date-time presentation across the platform after receiving feedback from our hackers and customers.

Report Collaborators via the Customer API

Report Collaborators via the Customer API helps customers who want to manage hacker contributions outside our platform, increasing the visibility of Hackers who worked together on a Report.

To use Report Collaborators via the Customer API, follow the API integration instructions defined on

Improved Leaderboards for Live Hacking Events (LHEs)

We introduced changes to the Live Hacking Event Leaderboards system to address concerns regarding calculation accuracy and fairness to collaborators. These changes currently impact LHEs, but will gradually be adopted platform-wide.

Hacker Quality of Life Improvements

  • Count duplicated reports as valid reports for hacker-matching

    • We started to count duplicated reports as valid reports, in which the original report has a “resolved/triaged/retesting” state.

  • Delay in typing minimum bounty amounts on Opportunity Discovery

    • Entering numbers, like '20,' used to have a delay issue where you had to wait a second before inputting the second digit. This is now resolved.

  • Collaboration Invitation stayed open after joining the report

    • We fixed an issue where collaboration invitations that could not be accepted because the collaborator had already joined the report.

  • Invitations expire while hackers are on vacation

    • We made a very quick and easy improvement here. Invitation links are available for 2 weeks now instead of 7 days.

Beta Features


Compliance supports customers in obtaining Hacker traffic data for their Gateway V2 program, aiding in incident investigation, providing evidence of hacker activity, and facilitating AI/ML projects. In this release, data access is limited to two forms:

  1. Download program traffic logs for a specific date instantly in a single NDJSON file (one date per request, but multiple requests allowed).

  2. Upon CSM request, set up near real-time (5-10 minutes) log push of NDJSON files to the customer's chosen cloud storage.

Note: Unlike V1, only traffic related to the customer's in-scope assets goes through the Gateway for Gateway V2 programs. Non-hacking-related traffic doesn't pass through the Gateway and is not captured."

Did this answer your question?