Credential Management (beta)
The Credential Management feature enables you to easily share access credentials with hackers so that you don't have to constantly create sign in credentials for each new hacker that participates in your program. This also enables participating hackers to quickly retrieve the credentials needed to find vulnerabilities in your program.
This feature is currently in beta and only available to select programs.
To set up Credential Management for your program:
- Go to Settings > General > Credential Management.
- Click Import Credentials.
- Upload the CSV file of credentials that you want to share. The CSV file supports a set of headers and values where each row is a set of credentials that can be claimed by a hacker.
- Click Submit.
Your uploaded credentials will populate under the Credentials section where you can see which credentials have or haven’t been claimed. Claimed credentials will also display the username of the hacker under the Claimed by column.
If a hacker has violated your policy or HackerOne’s code of conduct, you can revoke the credential rights of a hacker by clicking Revoke next to the username of the hacker. You'll also need to invalidate the account on your own platform to prevent the hacker from logging in.
The username of the account the hacker created using the provided credentials will display on the submitted report under the Account details used section.
How It Works
Once you’ve set up credential management, hackers participating in your program will be able to retrieve their credentials by clicking the Show Credentials button on your security page.
The Credentials window will then display with instructions where the hacker can claim one of the credentials you’ve provided. They’ll be prompted to enter the username of the account they created using the credentials provided.