Welcome Edit the Doc Site Product Offerings Program Starting Point Program Types Private vs. Public Programs Parent/Child Programs VDP vs. BBP Using Markdown Running a Good Program Authenticated Testing Scoping Considerations Traffic Identification Homepage General Settings Security Page Program Metrics Response Target Indicators Top Hackers Policy and Scope Good Policies Defining Scope Scope Best Practices Asset Types Severity Environmental Score Bounty Tables Importance of Bounty Tables Submit Report Form Report Templates Pausing Report Submissions Response Targets Response Target Metrics Setting Response Targets Invitations CVE Requests Submission Signal Requirements Human-Augmented Signal User Management Groups and Permissions Single Sign-On via SAML JIT Provisioning Domain Verification Google Okta OneLogin FAQs Two-Factor Authentication Invalid OTP Code Sessions Credential Management Notifications Response Programs Inbox Inbox Views Report Management Report Actions Report States Report Components Quality Reports Locking Reports Duplicate Reports Exporting Reports Response Labels Keyboard Shortcuts Custom Fields Disclosure Limiting Disclosed Information Retesting Vacations Supported Integrations Integration Variables Webhooks API Tokens Assembla AWS Security Hub Azure DevOps Bugzilla Freshdesk GitHub GitLab HackEDU IBM Security SOAR Jira Jira Setup Jira Migration Guide Jira FAQs Kenna Security MantisBT Microsoft Teams OTRS PagerDuty Phabricator Redmine ServiceNow Slack Splunk Sumo Logic Trac Zendesk Billing Bounties Swag Bonuses Dashboards Program Overview Submissions & Bounty Dashboard Statistics Dashboard Hacker Feedback Dashboard Explore Audit Logs Industry Benchmarking Hacktivity Communicating with Hackers Message Hackers Banning Hackers Hacker Email Alias Hacker Mediation Hacker Reviews Disclosure Assistance HackerOne Clear Gateway FAQs Pentest Overview FAQs Retesting Pentest Automation Common Responses Triggers Hackbot Email Forwarding Embedded Submission Form Import Vulnerabilities IP Allowlists Multi-Party Coordination Password Best Practices Proof of Compliance Slack Shared Channels Reducing Noise Scoping Considerations HackerOne programs perform testing in all different environments. What factors go into deciding which environment or assets are a good fit for the hacker-powered approach? What kinds of "blockers" have the potential to reduce hacker engagement?
Below are some considerations that can help enable testing on more difficult assets.
Is the environment publicly accessible?
Do any self sign-up flows require personal information (PII) from hackers?
Are there geo-restrictions in the application to consider? SMS 2FA requirements?
Is a non-prod environment an accurate representation of production?
Is test data representative of production?
Are any features that should be tested inaccessible to hackers?
Do any features require hackers to spend real money? Could this be avoided or reimbursed?
Does the environment contain sensitive information such as PII or PHI that a hacker could potentially stumble onto?
Could hacker testing possibly interfere with other types of testing or activity in the environment?
