All Collections
April 2024 Changelog
April 2024 Changelog

A full collection of changes released during the month of April

Updated over a week ago

Self-Service Clear Criminal Background Checks

We are excited to announce the general availability of self-service Clear criminal background checks! This update completes the Clear onboarding process, allowing all eligible Hackers to become Clear through our platform.

Key improvements:

  • Faster and more user-friendly experience: We've integrated Checkr, a new background check vendor known for their speed and user-friendly approach. Some results are now returned within hours.

  • Simplified onboarding flow: The entire ID verification and Clear onboarding process is now self-service with a streamlined flow.

How to become a Clear hacker:

  1. Navigate to User Profile -> ID Verification & Background Check.

  2. Entry requirements:

    • Have submitted a valid report or new Pentester application.

    • Meet all performance criteria (lifetime, signal, impact, bounty).

    • Are requested by a customer.

    • Are applying to be a Pentester.

  3. Actions to complete:

    • Complete the Clear Rules of Engagement agreement.

    • Pass an ID verification check via Veriff.

    • Pass a criminal background check (looking back 7 years) via Checkr.

Additional Notes:

  • In addition to Clear, there's an optional Citizenship/Residency vetting level for programs requiring it.

  • The criminal background check renewal process is now automated as well. Hackers will be contacted 3 months before their check expires to ensure timely renewal.

We expect self-service Clear background checks to significantly improve the Hacker experience and streamline the Clear program management for the HackerOne team.

For detailed instructions on ID verification and Clear onboarding, please see the Background Check article.

Spot Checks - Open Beta

Spot Checks are now available in open beta for all Bounty and Challenge customers!

What are Spot Checks?

Spot checks are focused, bite-sized hacker engagements designed to assess the security of a specific feature or vulnerability in your assets. These engagements deliver targeted results with detailed reports validating proof of coverage. They're an additive feature designed to enhance your existing workflow.

Benefits of Spot Checks:

  • Assess the security of specific assets.

  • Validate security controls.

  • Uncover hidden weaknesses and CVEs.

Use Cases for Spot Checks:

  • Delta testing new features or endpoints.

  • AI Red Teaming.

  • Proof of testing.

  • Specific CWE/vulnerability class testing.

  • CVE exposure validation.

Pentester Skills

Pentester Skills is now available to all users and pentests! This update consolidates skill information across hackers and pentesters, creating a single source of truth. By incorporating proficiency information into the sourcing step, we can build better pentest teams with complementary skill sets. Additionally, this update empowers pentesters to make informed choices when applying for opportunities.

Improved Pentester Report Writing with Generative AI (Experimental)

We're introducing an experimental feature: Hai-powered Pentester Writing Guidance! This feature leverages Hai, our generative AI LLM, to assist pentesters in writing more professional and concise vulnerability reports.

Benefits of Hai-Powered Rewriting

  • Improved Clarity and Conciseness: Hai helps remove jargon and redundancies, making reports easier for customers to understand.

  • Enhanced Consistency: Generative AI ensures consistent formatting and terminology across reports.

  • Reduced Writing Time: Pentesters can focus on complex tasks by automating some writing processes.

  • Reduced TEM Review Time: Less time is spent reviewing reports for grammar and formatting.

How to Use Hai-powered Rewriting

  1. Create a draft vulnerability report.

  2. In Step 5: Proof of Concept, describe the vulnerability.

  3. Click the Rewrite with Hai button.

  4. Review and accept Hai's suggestions as needed.

Rewrite with Hai button on report

Streamlined Triage Communication for Customers

We've changed how customers notify our triage team about reports. Previously, any report update automatically triggered a notification. To streamline communication and improve efficiency, customers must now explicitly loop in HackerOne triage.

How to Notify Triage:

  • Assign the report to H1 Triage.

  • @-mention the H1 Triage group in a comment.

  • @-mention any HackerOne analyst in a comment.

This change allows the triage team to focus on relevant issues and resolve reports more effectively. We've observed a significant reduction in manual dismissals since implementing this update in beta.

Mention Triage to assign the report

Mediations Analytics

Mediations Analytics is now available to all customers! This feature provides a dashboard view of mediation data, including:

  • Open cases

  • Mediation by type and state

  • Top requesters of mediation

How to Access Mediations Analytics

  1. Click Analytics in the primary navigation.

  2. Select Mediations in the secondary navigation.

Additional Notes:

  • You can apply filters and save them as segments for easy access to specific data.

Improved Asset Scoping with Attachments

We're excited to announce the general availability of Scope Attachments! This feature allows customers to enhance their asset scopes by adding relevant attachments.

Benefits of Scope Attachments:

  • Provide additional context: Customers can include documentation, images, or other files to assist hackers in understanding specific assets.

  • Streamlined access: Attachments are readily available for download on the policy scopes page, listed under the associated asset.

How to Add Scope Attachments:

  1. Navigate to the "Programs" tab.

  2. Select the desired asset from either Asset Inventory or Program Scope settings.

  3. Upload your attachments.

  4. Uploaded files will be displayed under the corresponding asset in the policy scopes page.

Streamlined Code Security Audit (CSA) Scoping

We're happy to announce the general availability of Scoping Form for Code Security Audit (CSA)! This feature empowers both existing and prospective customers to scope a Code Security Audit directly on the HackerOne platform.

Benefits of CSA Scoping Form:

  • Seamless customer experience: Simplifies the CSA workflow within the PTaaS offering.

  • Enhanced sales and delivery: Enables Sales Engineers and Technical Engagement Managers to collaborate more effectively during pre-sales and post-sales processes.

  • Automated provisioning: CSA programs are automatically provisioned based on the completed scoping form, ensuring a smoother delivery experience.

Code security audit scoping screen 1

Code security audit scoping screen 2

Increased Visibility with Triage Summaries

(Managed Customers)

We're committed to improving communication and clarity for our managed customers. In that spirit, we're making Triage Summaries more readily available. Previously, 37% of managed customers utilizing triage weren't leveraging Triage Summaries. Instead, they relied on comments for refined report versions. To standardize workflows and enhance efficiency, Triage Summaries are now readily available in their designated field for all managed customers!

What are Triage Summaries?

Our triage team offers summaries that condense reports into concise, understandable summaries of their impact. These summaries reside within a dedicated field on the platform.

Did this answer your question?