Glossary

Asset

Attack surfaces that hackers can hack on. There are different types such as: CIDR, Domain, Source code, Executable, Hardware/loT, iOS: .ipa.

A collection of assets creates a scope.

Bounty

A financial reward offered in exchange for a valid vulnerability report.

Bounty Table

A bounty table illustrates how much an organization is willing to pay for various bugs, helps set expectations for hackers, and gives the bug bounty team a guideline to ensure fair and consistent reward amounts.

Bug Bounty Program

A bug bounty offers monetary incentives for vulnerabilities and invites submissions from hackers.

CVSS

Common Vulnerability Scoring System (CVSS) is the framework HackerOne utilizes to assign a severity rating to a vulnerability.

CWE

Common Weakness Enumeration (CWE) is the framework HackerOne utilizes to assign a weakness to a vulnerability.

Common Response

A saved response or template that can be applied repeatedly to reports.

Directory

The HackerOne directory is a community-curated resource for contacting an organization regarding a security vulnerability.

Hacker

Someone who’s able to find vulnerabilities in information-related systems. One who enjoys the intellectual challenge of creatively overcoming limitations (Jargon File 4.4.7).

Hacktivity

Hacktivity is the public community feed that showcases hacker activity on HackerOne.

ISO 29147

An international standard describing vulnerability coordination.

ISO 30111

An international standard describing vulnerability handling processes.

Impact

Average reputation gained per bounty.

Integration

External applications being connected and functioning in HackerOne.

Report

A submission from a hacker that describes a potential security vulnerability.

Reputation

Reputation measures how likely a hacker’s finding is to be immediately relevant and actionable.

Scope

A collection of assets that hackers are to hack on. It’s the structured data that represents the attack surface that’s included or explicitly excluded in an organization’s vulnerability disclosure or bug bounty program.

Signal

Average reputation gained per report.

Vulnerability

Weakness of software, hardware, or online service that can be exploited.

Vulnerability Disclosure

The process by which an organization receives and disseminates information about vulnerabilities in their products or online services.

ISO 29147 definition: Process through which vendors and vulnerability finders may work cooperatively in finding solutions that reduce the risks associated with a vulnerability. It encompasses actions such as reporting, coordinating, and publishing information about a vulnerability and its resolution.