Pentest Overview

Learn how pentests work at HackerOne

Updated over a week ago

In a penetration test (pentest), authorized hackers broadly test the attack surface of an application and determine whether they can achieve specific goals by following a structured testing methodology (OWASP Top 10). HackerOne pentests are performed by select hackers with skills and experience from the HackerOne community that best match the applications in the scope of the program.

Note: The pentester community is currently not open to all hackers and pentesters. Only a select few are invited to participate at this time.

How it Works

Here are the steps outlining the HackerOne pentest process:

  1. Apply to be a pentester by submitting the pentest application.

  2. Review the different pentest opportunities that are available.

  3. Submit an application to participate in a specific pentest when you find one that matches with your skillset.

  4. HackerOne looks at all applicants and forms the pentest team you’ll be working with. Teams are formed based on skills required for the pentest as well as living in similar timezones and speaking a common language so that teams can best work and communicate together.

  5. The pentest will launch and the team will have 2 weeks to complete the pentest. Any reports created during the pentest will be submitted using HackerOne.

  6. After testing has been completed, the lead pentester will draft and submit a summary report of the team's findings.

  7. Once the vulnerabilities have been remediated, the pentest team will retest the vulnerabilities to make sure they’re fixed.

Applying for a Pentest

Once you’ve been approved to be a part of the pentest community, you’ll be able to view and apply to different pentest opportunities. You need to apply to participate in each pentest because different pentests require different skill sets, and we want to make sure your experience best matches the opportunity.

To find and apply for pentests:

  1. Go to the Directory.

  2. Select the Pentest tab to view what pentest opportunities are available. For each pentest, you can view:

    • Dates of the pentest

    • The payout range

    • The number of hours required to complete the pentest

  3. Click the View more and apply button for the pentest you're interested in.

  4. Click the Submit 1-click application to apply for the pentest.

  5. (Optional) Click the button again to revoke your application.

Note: Pentests don’t award bounties for any new vulnerabilities found through the pentest. Retests, however, are required for each vulnerability and are included in the financial rewards for the pentest.

After you apply, HackerOne's technical program managers will review your application for the pentest and place you on a pentesting team if your skills are a good fit for the program.

Submitting a Pentest Check

Each pentest is comprised of different security checklists that are based on the OWASP top 10 vulnerabilities. Each checklist consists of the top weaknesses that are to be tested.

When you’re ready to submit your findings on a weakness type:

  1. Go to Hacker Dashboard > My Pentests.

  2. Select the pentest you’re currently working on.

  3. Click on Scope.

  4. Select the security checklist for the asset you’re working on.

  5. Click on the weakness you want to submit findings for.

  6. Fill out these fields for the weakness type:

Field

Details

Is this asset vulnerable to the described weakness type?

You can choose from:

  1. Vulnerable

  2. Not vulnerable

  3. The described weakness type is not applicable to this asset.

Related vulnerability reports

Submit a vulnerability report for each discovery and provide the link to the report.
This field is required if the security issue is vulnerable.

Test method

Provide a summary of the testing process or an explanation if this check is not applicable.
This field is required if the security issue is not vulnerable or applicable.

7. Click Save changes.

Retesting

Pentest programs can require you to retest specific vulnerabilities after a fix has been applied, and each vulnerability can be retested up to 2 times.

Rating Pentests

At the end of the pentest, you'll have 30 days to rate and provide feedback about your pentest experience. You'll also be able to rate each of the pentesters you worked with and provide constructive feedback to help them improve in their skills. The program and your fellow pentesters will also have the ability to provide feedback regarding working with you.

To view your feedback:

  1. Go to your profile's Settings > My Feedback.

  2. (Optional) Click the checkbox next to Show this blurb on my profile to publish your feedback onto your public profile page.

Keep in mind that you'll only be able to see a review left by a fellow pentester if you've submitted a review for them. Additionally, reviews that are private can't be published to your hacker profile.

Did this answer your question?