Authenticated Testing

  • HackerOne recommends providing credentials and contextual information to hackers wherever possible
    • HackerOne recommends offering elevated rewards for unauthenticated vulnerability findings
  • The HackerOne platform includes a secure credential management feature that allows customers to quickly upload multiple sets of credentials
    • Includes the ability to provision multiple roles
      • Essential for PrivEsc, IDOR, broken authentication, data segregation testing, etc.
    • Hackers can claim credentials in the platform and immediately proceed with testing

Enabling Unauthenticated Testing

  • Many HackerOne programs are interested in finding unauthenticated vulnerabilities as they can be exceptionally severe
  • HackerOne recommends specifying an elevated reward level for unauthenticated vulnerabilities within either the bounty table or the policy
    • Be sure to provide clarity in your policy on what unauthenticated vulnerabilities are eligible for the elevated reward level