In a penetration test (pentest), authorized hackers broadly test the attack surface of an application and determine whether they can achieve specific goals by following a structured testing methodology (OWASP Top 10). HackerOne pentests are performed by select hackers with skills and experience from the HackerOne community that best match the applications in scope of the program.
Note: The pentester community is currently not open to all hackers and pentesters. Only a select few are invited to participate at this time.
Here are the steps outlining the HackerOne pentest process:
- Submit an application to participate in the pentest when you find a pentest that matches with your skillset.
- HackerOne looks at all applicants and forms the pentest team you’ll be working with. Teams are formed based on skills required for the pentest as well as living in similar timezones and speaking a common language so that teams can best work and communicate together.
- The pentest will launch and the team will have 2 weeks to complete the pentest. Reports created during the pentest will be submitted using HackerOne.
- After testing has been completed, the lead pentester will draft and submit a summary report of their findings.
- Once the vulnerabilities have been remediated, the pentest team will retest the vulnerabilities to make sure they’re fixed.
Once you’ve been approved to be a part of the pentest community, you’ll be able to view and apply to different pentest opportunities. You need to apply to participate in each pentest because different pentests require different skill sets, and we want to make sure your experience best matches with the opportunity.
To find and apply for pentests:
- Go to the Directory.
Select the Pentest tab to view what pentest opportunities are available. For each pentest, you can view:
- Dates of the pentest
- The payout range
- The number of hours required to complete the pentest
- Click Submit 1-click application for the pentest you want to apply to.
- (Optional) Click the button again to revoke your application.
Note: Pentests don’t award bounties for any new vulnerabilities found through the pentest. Retests, however, are required for each vulnerability and are included in the financial rewards for the pentest.
After you apply, technical program managers will review your application for the pentest and place you on a pentesting team if your skills are a good fit for the program.
Each pentest is comprised of different security checklists that are based on the OWASP top 10 vulnerabilities. Each checklist consists of the top weaknesses that are to be tested.
When you’re ready to submit your findings on a weakness type:
- Go to Hacker Dashboard > My Pentests.
- Select the pentest you’re currently working on.
- Click on Scope
- Select the security checklist for the asset you’re working on.
- Click on the weakness you want to submit findings for.
- Fill out these fields for the weakness type:
|Is this asset vulnerable to the described weakness type?||You can choose from:
|Related vulnerability reports||Submit a vulnerability report for each discovery and provide the link to the report.
This field is required if the security issue is vulnerable.
|Test method||Provide a summary of the testing process or an explanation if this check is not applicable.
This field is required if the security issue is not vulnerable or applicable.
- Click Save changes.
Pentest programs can require you to retest specific vulnerabilities after a fix has been applied, and each vulnerability can be retested up to 2 times.
At the end of the pentest, you'll have 30 days to rate and provide feedback about your pentest experience. You'll also be able to rate each of the pentesters you worked with and provide constructive feedback to help them improve in their skills. The program and your fellow pentesters will also have the ability to provide feedback regarding working with you.
To view your feedback:
- Go to your profile's Settings > My Feedback.
- (Optional) Click the checkbox next for Show this blurb on my profile to publish your feedback onto your public profile page.
Keep in mind that you'll only be able to see a review left by a fellow pentester if you've submitted a review for them. Additionally, reviews that are private can't be published to your hacker profile.