Note: This feature is currently in Beta. Please reach out to your CSM if you’d like to participate.
Overview
Spot checks are bite-sized engagements that target a specific feature or vulnerability in your assets. You can run spot checks on Challenges or Bug Bounty programs.
Use Cases
Spot check objectives include:
Delta testing of new features or endpoints. Validate new features and endpoints as part of your SDLC.
Targeted testing. Confirm testing coverage by targeting a specific part of your attack surface.
Check a weakness. See if your attack surface is exploitable by a specific Weakness.
AI Red Teaming. Test new Al functions and features for safety or security concerns.
How can I create a spot check?
Go to the Engagement page and click the Spot Checks tab for your overview. You need program management permission to create a spot check.
Start the spot check creation flow by clicking Create spot check. This will guide you through the steps to set up a spot check.
Name: Choose a recognizable name for your spot check.
Program: Select the program you want to run the spot check on.
Objective: Select the objective for the spot check. For example, you can test a newly released feature or check your assets for a particular weakness.
Asset/Weakness: Choose the asset or weakness you’d like hackers to focus on.
Instructions: Write clear instructions for the hackers performing the spot check. Good instructions include:
A description of the feature/asset/weakness hackers will focus on.
How hackers can access the target of the spot check.
If there are any specific areas to target.
Amount of hackers: Choose the number of hackers you want to perform the Spot Check (between 1 and 5).
Self-select or top hackers: Choose if you’d like to self-select the hackers invited to the spot check or if HackerOne will find reputable hackers for you.
Start date: The date we’ll aim to start the spot check.
Size: Pick a size for the spot check (small, medium, or large). You can select a budget of $500, $1000, or $1500 per hacker. This means hackers will spend around 3-5, 8-10, or 12-15 hours, respectively, on the spot check.
After filling in these details, make sure everything is in order on the summary page. If all details are correct, click Run spot check to schedule it. The information provided cannot be updated after you submit the spot check. HackerOne will verify the details and start the spot check when it's ready.
What information can I find on the spot checks engagement tab?
You can find an overview of your spot checks on the spot checks engagement tab.
Spot checks have the following states:
Pending | Being reviewed by HackerOne |
Running | Hackers are invited, and we are waiting for their write-ups |
Completed | All write-ups are submitted and reviewed |
The overview page shows how many hackers have already submitted results and how many still need to. You can also view the details of each spot check by clicking on the respective row to open a new window with all relevant information.
You can view all hacker reports under the Submissions tab. Click on a row to see the full submission.
What happens when the spot check starts?
The first hackers will be invited to join as soon as the spot check starts. When manually selecting hackers, they will be invited at the start of the spot check. If no specific hackers are chosen, HackerOne will search for suitable candidates based on the spot check's criteria. A new group of hackers will be invited every 12 hours until the spot check is filled, with priority given to those with higher reputations.
When a hacker is invited to a spot check, they'll receive an email notification and see the invitation reflected on their HackerOne Dashboard. From there, they can accept or decline the invitation. If they accept, they'll have 7 days to complete the spot check and submit their write-up.
You can track the submissions you have received on the Spot checks tab. When a hacker has submitted a spot check write-up, you can find it under Submissions.
After hackers have submitted their write-up, it can be reviewed. Confirm hackers have supplied sufficient information on used methodologies, tooling, and findings and have linked any submitted vulnerability reports to the write-up. If you are satisfied with the contents of the write-up, you can click on the Pay hacker button at the bottom of the page. Spot checks are pay-for-effort, so hackers should be awarded even if no valid vulnerabilities are found. If you feel the write-up is lacking or insufficient evidence has been provided, please contact your CSM.
FAQ
Q: How much time will hackers spend on my spot check?
A: You can select a budget of $500, $1000, or $1500 per hacker. This means hackers will spend around 3-5, 8-10, or 12-15 hours, respectively, on the spot check.
Q: How many hackers are participating in a spot check?
A: You can self-select the number of hackers performing the work. You have an option to select between 1 and 5 hackers.
Q: Can I self-select the hackers that are participating?
A: Yes, you can select between 1 and 5 hackers.
Q: Do hackers get bounties during a spot check?
A: Yes, hackers will link any vulnerability reports to the spot check write-up. Hackers should be awarded for any valid vulnerability found during the spot check.
Q: How many assets can I put in scope for a spot check?
A: Spot checks are designed to be small, bite-sized tasks. Each spot check can only contain one asset at a time. If you want to test multiple assets, you can create multiple spot checks.