Skip to main content
All CollectionsHai
Hai - AI Copilot
Hai - AI Copilot

Customers: Hai - Your intelligent co-pilot within HackerOne

Updated over a week ago

Overview

Streamline and enhance your vulnerability management process with HackerOne’s GenAI Copilot, Hai. By integrating AI capabilities directly into our platform, Hai enhances security processes for organizations facing ever-changing cyber threats.

Hai provides deeper insights into vulnerability reports, enhancing understanding and enabling faster remediation. It effortlessly translates natural language into precise queries, enriches vulnerability reports with relevant context, and generates insightful recommendations using platform data.

Key Benefits

Strengthen Understanding

Hai decodes complex reports, providing concise summaries and detailed visual analyses, fast-tracking your team's understanding and response capabilities.

Improve Communication

Hai acts as a communication bridge, clarifying technical details and remediation steps, enabling seamless collaboration between security, development teams, and hackers.

Accelerate Remediation

Hai streamlines find-to-fix cycles with targeted insights and personalized advice, optimizing remediation and harnessing unique business knowledge for faster, smarter action.

Streamline your SDLC

Hai elevates your SDLC, offering custom vulnerability scanner templates, API integrations, and dynamic automation for faster, smarter security processes.

AI-Powered Program Insights

Hai captures unique and valuable insights with broad context across all programs in an organization.

How it Works

Hai is embedded in the HackerOne platform and can be used on any accessible reports. Hai functions as a copilot to your workflow and aims to improve your efficiency using the platform. Interacting with Hai works similarly to other GenAI tools; once you ask a question or send a prompt to Hai, it will process your input within our infrastructure and generate a response.

On-Demand Assistance

Navigating and interpreting complex security reports is time-consuming, often delaying critical response actions and team decision-making.

Whether faced with intricate reports, complex proofs of concept, or technical details, Hai provides easily understandable explanations of vulnerabilities.

For example, you can ask Hai for help with:

  • Report summarization

  • Remediation advice

  • Content generation (comments/acknowledgments)

Use the Hai icon on the top menu to toggle Hai's chat interface; alternatively, you can click on any of the platform's use case-specific buttons, which will let you interact directly with Hai on a specific use case (such as summarizing vulnerabilities or generating remediation advice).

Opening the Hai sidebar from the top navigation:

Example of a use case-specific action:

Hai opened on a vulnerability report:

Tailored Advice

Hai features ready-made prompt suggestions, offering immediate insights and a starting point for further queries. Currently, the suggestions include the following prompts:

  • Summarize report - Summarizing the submitted report with the most relevant information

  • Suggested titles - Suggesting alternative titles for the report

  • Scope exclusion - Check whether the reported asset is in scope or not

  • Reapply submission template - Reformat the vulnerability report using your submission template

  • Generate Nuclei template - Generate a Nuclei template for the vulnerability report

  • Remediation advice - Get advice on how to fix the vulnerability

  • Suggested CWE IDs - Suggesting the most likely CWE IDs based on the report content

  • Acknowledge report - Write an acknowledgment to the hacker

  • Catch up on report - Catch up on the report and the subsequent activities

Click on each prompt for more detailed information or to ask follow-up questions. Start a new conversation from the top to bring up the prompt suggestions.

After each question, Hai analyzes its response and suggests follow-up questions based on the conversation. Suggestions can be found at the bottom of the conversation, and clicking on a suggestion will automatically continue the conversation and generate a response.

Attachment Analysis

Analyzing visuals in reports and proofs of concept may miss important details essential for accurate vulnerability assessment and remediation planning.

Hai can support images so you can better understand visuals in vulnerability reports and proofs of concepts.

  • Get concise explanations of what's depicted in images.

  • Ask Hai to pull specific information from visuals, such as HTTP requests or response IDs.

  • Have Hai convert information from images into usable formats, e.g., cURL commands.

Hai image analysis results

Writing Assistance

Poor communication between security teams, developers, and hackers post-triage makes vulnerability remediation less efficient.

Hai crafts clear and concise messages to hackers, improving communication and collaboration across language barriers. It also enhances collaboration between security and development teams, promoting a more integrated security approach.

Hai writing assistance results

Hai Program Insights

Use Hai Insights to inform strategic action against vulnerability trends forming across all your HackerOne programs, complete with graphs and charts. Identify the most prevalent vulnerabilities found across valid reports to identify areas for targeted remediation.

Each analysis includes:

  1. Clear data visualizations

  2. Key insights and patterns identified

  3. Calculation methodology for transparency

  4. Detailed explanations of findings

  5. Suggested follow-up analyses

Example of visualizations with insights.

Hai automatically selects the most appropriate visualization type for your data:

  • Single metrics for direct comparisons

  • Bar charts for categorical data

  • Line charts for trends over time

  • Pie charts for proportional analysis

You can also ask Hai to change the format if you need something different.

Hai Plays

Hai Plays provides practical solutions to streamline essential tasks. It supports everything from creating clear, concise vulnerability briefs for C-suite executives to assessing the likelihood of uncovering specific vulnerabilities during a pentest, helping teams focus their efforts where it matters most.

Why You'll Love Hai Plays:

  • Custom Instructions: Customize plays with specific instructions to meet your unique needs and workflow.

  • Domain Knowledge: Teach Hai your organization's specific domain knowledge to create fully personalized interactions.

  • Efficiency: Enjoy seamless integration of your tech stack, tone of voice, and critical business details. Hai plays remember and automatically incorporate this data for each prompt.

FAQ

For an overview of the HackerOne approach to AI, please visit our Responsible AI blog.

For this Hai FAQ, we will refer to the content that the AI generates in our services as “Output.” This FAQ is limited to the AI architecture of Hai, HackerOne’s copilot that offers generative AI capabilities to its users.

Hai is a virtual generative AI assistant that enhances the user experience by offering proactive suggestions and an open-ended chat interface to ask questions. Typical use cases include getting tailored vulnerability advice, automating vulnerability detection, summarizing reports, suggesting report responses, and improving text readability.

How does HackerOne use AI in Hai for customers?

Hai leverages generative AI. It uses a Large Language Model (LLM) from the Anthropic Claude family in conjunction with vector embedding models from the Amazon AWS Titan family. These models are hosted within HackerOne’s own infrastructure.

How is my (vulnerability) data being used?

Your data is currently not used to train or fine-tune LLMs or vector embedding models used for Hai.

We use third-party pre-trained LLMs hosted within HackerOne’s infrastructure. To optimize security and privacy protocols, we use models (e.g., Anthropic and Amazon Titan) deployed within HackerOne’s own AWS infrastructure through AWS Bedrock. We use industry-standard methods such as prompt engineering, tool use, and Retrieval-Augmented Generation (RAG) to provide your data to the models at inference time, making these models stateless so that they do not retain any of your sensitive or confidential information.

How does Hai work?

Hai is embedded in the HackerOne platform. Any question you ask Hai goes through a process where heuristics and semantic relevance to other information are extracted before it is sent to the LLM. The system then uses this information to retrieve information through the HackerOne GraphQL API. This architecture was chosen to ensure that Hai does not circumvent existing access controls in the platform. Hai will only build a prompt for the LLM when it retrieves the information required to generate a response. It will process your input solely within HackerOne’s infrastructure and provide a response.

If we use Hai, will my customer data be shared with third parties?

No, your information remains within HackerOne’s infrastructure, and using Hai does not disclose confidential or proprietary information to unauthorized third parties.

How are you ensuring customer data, particularly vulnerability data, stays safe when using Hai?

We have designed Hai to ensure your data stays in your control and never leaves HackerOne without your consent. HackerOne is ISO 27001, SOC2 and FedRAMP certified as well as GDPR compliant, and Hai is subject to all of our existing high-level security and compliance protocols.

The Hai architecture leverages existing HackerOne APIs to ensure it respects existing access controls within the platform. APIs are used within the context of the user who asked Hai a question. This means that information the user has access to in the platform may be sent to Hai at inference time to generate a response.

Although our approach to security and AI is no different from how we approach any data on our platform, we understand that there is currently a spotlight on AI and that you may have additional questions. If you have any further questions, we would be happy to discuss them in more detail. For additional information, you can also read more about HackerOne’s approach to security here.

Who owns the data after it is inputted into Hai?

Data that a customer owns and makes available to HackerOne for the purposes of the Services will remain the customer's property. HackerOne remains the owner of the intellectual property within its services.

The customer always remains the owner of the customer data input, and HackerOne remains the owner of its services and any HackerOne material that might be included in the service's output. HackerOne then grants the customer a commercial license to access, use, and reproduce any such HackerOne property included in the output.

How does data storage/retention work for information input into Hai?

Information or customer data input into Hai is stored/retained the same way as other data supplied by the customer for HackerOne services. It is subject to our terms and conditions, privacy policy, and internal data retention policies, among other policies and procedures we have in place to safeguard customer information and data.

Questions and answers are only stored on the platform as part of Hai functionality to surface historical conversations. This allows users with appropriate permissions to access historical conversations from their program on the platform to read back and use the data.

Can I turn Hai off for my employees?

Hai is turned on by default. Organization admins can toggle Hai's availability from Organization Settings > Hai. When disabled, your employees will not be able to use Hai.

Did this answer your question?