Traffic Identification

There are several ways to identify hacker testing traffic at various layers for testing/feature enablement or testing control & monitoring.

Application Layer: User Allowlisting

HackerOne provides each hacker with a forwarding email address
- This email can be helpful in identifying hacker testing accounts for allowlisting within the application itself

Session Layer: HTTP Headers

Researchers may add headers to requests such as: “X-HackerOne-Research: [H1 username]”

Network Layer: IP Allowlisting

HackerOne Gateway
- Hacker traffic will come from a known CIDR block
- Hacker VPN traffic can be analyzed for insight into asset testing coverage
Personal IP Check-in
- Limited to the H1 Pentest product. Used in lieu of Gateway

"Human Layer": Hacker Vetting & Communication

HackerOne Clear researchers
Custom alert process for each program
- email, phone, Slack, Teams, PagerDuty, and others
- HackerOne API

On this page

Application Layer: User Allowlisting
Session Layer: HTTP Headers
Network Layer: IP Allowlisting
"Human Layer": Hacker Vetting & Communication