Authenticated Testing

• HackerOne recommends providing credentials and contextual information to hackers wherever possible
  • HackerOne recommends offering elevated rewards for unauthenticated vulnerability findings
• The HackerOne platform includes a secure credential management feature that allows customers to quickly upload multiple sets of credentials
  • Includes the ability to provision multiple roles
    • Essential for PrivEsc, IDOR, broken authentication, data segregation testing, etc.
  • Hackers can claim credentials in the platform and immediately proceed with testing

Enabling Unauthenticated Testing

• Many HackerOne programs are interested in finding unauthenticated vulnerabilities as they can be exceptionally severe
• HackerOne recommends specifying an elevated reward level for unauthenticated vulnerabilities within either the bounty table or the policy
  • Be sure to provide clarity in your policy on what unauthenticated vulnerabilities are eligible for the elevated reward level