Skip to main content

HackerOne Blog

Read the news every day, and check the usual websites? Want to get your industry news and have a little humor dashed in? With Zero Daily you can have your cake and eat it too: we include links and brief sound bites on some of the top news in application security, bug bounty, and hacker topics but with a fun and non-markety flair.
Bounties are for hardware, too. Microwaves notwithstanding, there is an increasing amount of connected technology in our homes, cars, and workplaces. Unfortunately, each of them comes with more and more potential vulnerabilities.
It’s now possible to view updates on JIRA issues right inside your HackerOne Reports. The two-way integration means that whenever a JIRA issue changes state, an internal comment is posted on the appropriate HackerOne Report. No more going back and forth between JIRA and HackerOne!

Whether he’s uncovering weirdness in Uber’s app, sharing savvy how-to’s in his blog, or working out issues for AirBnB, Geekboy is hot like fire. He’s number three on our leaderboard and his signal rank is in the 90th percentile!

We caught up with Geekboy in Goa at Nullcon and here are some of his thoughts on cool bugs, Burp Suite and Bountycraft, among other things.
Last week, I attended the FinDEVr conference in New York City. The 2-day conference is focused on the technology aspect of fintech. Attendees ranged from financial institutions to data analytics startups coming from places like Canada, the U.K, and all across the U.S. At the conference, I gave a talk titled “Tapping Hackers for Continuous Security”. Here’s a recap of the topics I addressed.
Writing the Bug Bounty Field Manual was a herculean task. Just ask Adam Bacchus, the distinguished author of this manual. But as he’ll tell you, it was also an incredibly enjoyable piece to write.
Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise, spending a day hunting software bugs for Airbnb and Shopify. Down the hall, eager groups of students from middle school to college were on hand to interact, learn, and amplify their interest in security and technology for hacking 101 workshops put on my elite hackers.
HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-standard Common Weakness Enumeration (CWE).
Our friends at Intel have an exciting announcement! Their bug bounty program is live.
Around the world in seven days! My name’s Adam Bacchus, Chief Bounty Officer of HackerOne, and I’m here to tell you about the adventures I had in India this March presenting at Nullcon, Bounty Craft on “Bug Bounty Reports - How Do They Work?”.
What were you doing when you were 13-years old? Doubtful you were a recognized Microsoft researcher with Hall of Fame status at Google, Venris and others.

Meet Ahsan Tahir. 

At 13, Ahsan is a curious, committed hacker and security consultant living and working in Pakistan. We had the chance to talk shop with him about a bunch of topics, including his recommendations for companies that are putting together vulnerability reporting and bug bounty programs.
As the creators of the Grand Theft Auto series, Red Dead Redemption and many more, Rockstar Games knows that the security of its systems and data is a top priority.
Here at HackerOne, open source runs through our veins. Our company, product, and approach is built-on, inspired by, and driven by open source and a culture of collaborative software development. As such, we want to give something back.
A quick highlight reel of HackerOne’s week at RSA: hackathons, lightning talks, private parties, panels and more, oh my!
Uber of the oceans, Flexport, leverages bug bounty programs to secure their customers highly confidential shipping data.
As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our balance sheet with a $40 million series C investment round led by Dragoneer Investment Group. We have the skills, the hackers, the platform, the services, the people and the funds to empower the entire world to build a safer internet.
Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big part of that strategy. We chat with Co-founder and CTO at KeepSafe on their bug bounty program on HackerOne.
We sat down with James Kettle, PortSwigger’s Head of Research, to get the scoop on their public bounty program, and to learn how clarity helps keep their hackers happy. Make sure and stick around til the end where company founder Dafydd Stuttard explains the meaning behind their company and product name!
The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant websites including those mission critical to recruiting. See the full results of the program!
Introducing Email Forwarding, have security@ emails forwarded to your HackerOne Inbox as a new report.
Programs on HackerOne can now customize the Views in their Inbox to accommodate more advanced vulnerability disclosure workflows.
What a wild ride it was for Hacktivity in 2016! Let’s reflect on some of the major trends and patterns in our hacker community as seen through the eyes of Hacktivity.
2017 may be the year Virtual Reality and Augmented reality truly go mainstream. But is it airtight from a security perspective?
All of us HackerOnies are driven by a passion for our mission, and a strong urge to work together to make the world a better place. We recently held our inaugural all-company meeting where we built on top of this mission, documenting the values we embrace.
Approximately 100 days ago, Yelp flipped the switch from being a private bug bounty program on HackerOne, to a public program.
Sky Betting & Gaming knows a few things about running a bug bounty program. They recently launched their own bug bounty program and shared some tips.
We have collated the data from our 500+ bounty paying programs, and will show you the results every time you award a bounty!
We’re pleased to share that Nintendo has publicly launched their Vulnerability Rewards Program for their top-selling 3DS gaming console! The folks at Nintendo have put together some pretty sweet rewards including a top bounty of $20,000 for valid critical security vulnerabilities.
HackerOne CTO Alex Rice explains that the safest software firms are those with the highest bug bounties at Wired Security 2016 Conference.
Hackers can now identify their skills by submitting relevant reports which are verified by HackerOne.
Hackers we have big news from our partners at the Pentagon! The DoD is announcing their Vulnerability Disclosure Policy and registration is open to sign up for the opportunity to hack the U.S. Army!
Qualcomm is the world leader in 3G and 4G technologies helping power your smartphones, among other things, and today we’re excited to announce the launch of their invite-only bug bounty program on HackerOne.
The latest addition to the HackerOne executive team signals the company’s unmatched investment in fostering the world’s most elite hacker community.
Secretary of the Army, Eric Fanning, announced plans to launch the U.S. Army’s first ever bug bounty challenge in partnership with HackerOne.
Get the scoop on the latest update to the HackerOne API with some slick new communication features.
HackerOne CEO Marten Mickos sat down with the San Francisco Business Times to discuss bug bounty programs and working with the global hacker community.
Great hackers write great reports that others want to read. See the top ones from last quarter.
Better way to give thanks to our amazing hackers by releasing a new and improved Thanks page on hacker profiles.
HackerOne CTO spoke at WIRED Security this week. His message, “If you can't beat 'em, get 'em to join you!”
Today, we're making it even easier to never miss a policy change. You now have the ability to be notified whenever the policy of a certain program changes.
The Department of Defense announced plans to expand upon the successful "Hack the Pentagon" bug bounty pilot launched earlier this year with HackerOne and Synack.
After a feverish Hack The World 2016 competition, it is time to unveil the winners. We were amazed and inspired by the incredible work helping to make the Internet safer
You can now assign vulnerability severity utilizing the Common Vulnerability Scoring Standard (CVSS).
Bug bounty programs are revolutionizing the security industry and becoming an indispensable part of the modern software development lifecycle. You get useful results in the first 24 hours, and your program keeps producing results for years. We are coming out of Q3 with flying colors. HackerOne is by far the world’s largest marketplace for white hat hackers helping organizations to find flaws in their systems.
This blog is part of an interview series with top bug bounty hackers. Today, we are featuring Mark Litchfield who made history last month as the first hacker to earn over $500,000 USD in bug bounties on HackerOne.
Today, we’re taking the next step towards a better integration with your existing tools. Now teams can assign reports to team members using the API.
First impressions can be everything. Here are tips for putting your best foot forward in the first few weeks of your bug bounty program.
HackerOne’s second edition of “Fact or Fiction,” where we review hacker entertainment and talk about how realistic (or not!) they are. This week, we’ll be discussing Mr. Robot eps2.7init5.fve.
The Hack the World bug bounty contest concludes on September 19th 2016. Get your reports in now!
Who are these white hat hackers that are reporting vulnerabilities to companies? HackerOne created the 2016 Bug Bounty Hacker Report to share insights about the hacker community and to give hackers the exposure deserved as vital actors in our modern digital society.
HackerOne’s first edition of “Fact or Fiction,” where we review shows and talk about how realistic (or not!) they are. This week, we’ll be discussing Mr. Robot eps2.6succ3ss0r.p12.
Now security teams can create their own custom Report Templates for hackers.
This blog is part of a series highlighting top hackers on HackerOne. In this first post, we are thrilled to highlight, nnwakelam!
A beginners guide to set up a pen testing environment for mobile application.
What were the top five most viewed public vulnerability reports on HackerOne in the second quarter of 2016? Read to find out!
Ask HackerOne anything on Thursday 25th August 2016 at 9am Pacific.
We want our hackers to be successful and are giving away a free copy of Peter Yaworski’s excellent Web Hacking 101 e-book.
We are excited to announce that as of today, mlitchfield has earned $500,000 in total bug bounties on HackerOne!
HackerOne hosted a live bug bounty event with Zenefits, Snapchat and Panasonic Avionics. Hackers earned more than $150,000 in bounties for over 225 reported vulnerabilities.
Here are our top five rules for creating an excellent bug bounty security page. Outlining a crystal clear scope helps hackers know what is (and is not!) going to net them a bounty. Transparency between hackers and security teams is vital to a successful bug bounty program.
Let’s get a quick update on the Hack the World competition and see how things are progressing.
Hacker cinema from the 1990’s upon original release, were criticized as being “dubious,” “unrealistic,” and “implausible.” Today, we’ll be looking at the movie “Hackers” and evaluating whether it was ahead of its time or just Hollywood pixie dust.
This post is the first in a series highlighting top hackers on HackerOne. These hall-of-famers are extremely talented bug hunters and continuously dominate the leaderboards and thanks pages. In this first post, we are thrilled to highlight, Meals!
This blog post will give you more insights about how injection vulnerabilities work, and how you can use that knowledge to find more bugs.
Announcing our Hack The World 2016 hacker competition running from July 20th 2016 to September 19th 2016.
Better bug reports = better relationships = better bounties! Whether you are new to bounty programs or a bounty veteran, these tips on how to write good reports are useful for everyone!
Today we are launching Policy Diffing. On every single team page, you will now be able to see when the policy was last changed, and you will be able to see all policy changes for the program.
Welcome to episode #1 of our Hacktivity Highlights blog series where we take a closer look at top publicly disclosed vulnerability report.
Now security teams can edit the vulnerability types after the report has been submitted. With this improvement, teams can expect to have more accurate vulnerability data.
Back in November 2015, HackerOne welcomed our new CEO, Mårten Mickos, to the ranks. A native Finn living in San Francisco, Mårten has a long history building successful companies.
Ever stumbled upon a vulnerability, but had no idea how to share it with the affected organization? HackerOne can help! We’ve blogged about “Disclosure Assistance” before, but we wanted to talk about it again, as there have been some changes.
Upvote hacker activities and see what's popular on Hacktivity
The New HackerOne Leaderboard ranks reputation, signal and impact data in a simple tabular format.
The U.S. Federal Government’s first ever bug bounty program, managed by HackerOne, is now complete. Learn how it launched, what results came in, and what the Pentagon learned for the next bug bounty experience.
Uber’s Collin Greene shares advice on on running a high quality bug bounty program from the mistakes made launching and leading the Facebook and Uber programs. This blog originally appeared on Medium.
Announcing new product editions - Professional, Enterprise and Security@. Along with HackerOne Managed and Pilots, the same HackerOne power can be tailored to every organization’s needs.
Life is complicated, bug bounties should not be. Here’s a comic illustrating how bug bounty programs work by Fred Chung.
Two years after a settlement with the FTC, has ASUS still not learned how to receive vulnerability reports from hackers? Last February, the Taiwanese hardware manufacturer, ASUS, and the Federal Trade Commission (FTC) settled charges that the manufacturer failed to protect consumers.
Now Hackers can earn even more on HackerOne! Introducing badges, now available on Hacker profiles in the badges sidebar.
Organizations that sign up for HackerOne all agree to our Disclosure Guidelines. This means that the Hacker community is protected against legal prosecution if they follow the guidelines. We wrote these Disclosure Guidelines when we started HackerOne because we believe that the hacker community should be protected when they have good intentions. These guidelines are designed to enable Hackers to proactively look for security bugs in our customers’ systems.
The first version of our API is now available! The API augments the HackerOne interface to empower you to build the best bug bounty programs.
There is nothing like revisiting a movie that was ahead of its time. Sneakers is one of these movies.
Public programs on HackerOne may publicly disclose vulnerabilities. Here’s how and why so many companies choose to add to body of security knowledge and help enable a safer Internet.
To help security programs manage the expectations of participating hackers, we are rolling out a new program metrics feature, to be displayed on individual Security@ pages.
We explore Hacker Breadth and Depth with data from over 2,500 active hackers participating in hundreds of programs.
Talented hackers are the key ingredient for any successful bug bounty program. Here are five ways to attract them and improve your program.
Anyone with computer skills and high degree of curiosity can become a successful finder of vulnerabilities. Here’s how I started.
What bugs do people want to read about? These are the top 5 publicly disclosed bugs on HackerOne for 2016 to date.
Organizations are leveraging bug bounty programs like never before, yet few know how to budget for it. Here are the basics of bug bounty budgeting.
This week, we had the pleasure of hosting 50 Belgian technology students, who were on a tour of Silicon Valley technology companies. We had the opportunity to share our experience as entrepreneurs, but mostly we discussed hacking and security because, that is what we live and breathe at HackerOne.
When you discover a vulnerability, fixing it is not just a matter of applying a quick patch to solve the immediate problem. You also need to do a root cause analysis, delving deep into the foundation of the problem. While these might sound basic, even mature companies with sophisticated security methodologies sometimes overlook these six steps.
On Thursday, March 31, 2016, the Department of Defense, arguably the world's most powerful organization, announced it will partner with HackerOne for the "Hack the Pentagon" pilot program.
Hackers in our community often share overviews of their security research in their blogs, and we love checking them out. In the spirit of sharing more hacker knowledge, we've compiled a list of hacker blogs that we regularly read. HackerOne doesn't have any influence over the content contained in these blog posts.
One of the most common questions we get from hackers is "How can I get along better with bounty admins or security teams?" Here are general guidelines to help maximize your interaction with those on the other side of the security@ inbox.
We are excited to share that Uber is launching its public bug bounty program today on HackerOne. Additionally, Uber and HackerOne collaborated to create a new way of rewarding hackers called bonuses, which enables security teams to give additional monetary awards to hackers beyond initial bounties. The Uber loyalty program will utilize HackerOne bonuses for additional incentives in its public program.
One of the most important things to be successful is creating a friendly and open environment, being responsive on issues and pull requests, and making time to manage the workload. Open source projects don't start as a community, but you can build one.
What happens when the very thing your company offers gets put to a surprise test? That's what happened to HackerOne last Friday when we shipped an unknown vulnerability that could have affected many of our customers. It was the ultimate dogfooding experience, and we've chosen to share our story with you here.
HackerOne improves the quality of vulnerability reports received in public bug bounty programs with Signal Requirements and Rate Limiter. Signal Requirements allow a company to set the threshold for Signal that hackers must reach in order to submit reports to them. The updated Rate Limiter provides hackers the opportunity to still participate in a limited way, even if they are below the Signal requirement.
We improved the hacker invitation system for private vulnerability coordination and bug bounty programs. The new system operates more transparently and ensures that top hackers are invited to more private programs.
Have you thought about becoming a hacker? Getting started is easier than you think. We've curated some of the best resources to help you build skills, whether you're a beginner or looking to improve your hacker-craft.
A vital part of success in vulnerability coordination is quickly acknowledging, validating, and ultimately fixing submitted issues and recognizing the researcher's effort.
Great hackers never curb their curiosity. Increased recognition of their contribution is helping more companies understand that they are a valued partner, not an adversary.
A recent study by 451 Research shows that security spending continues to be strong, with 44.5 percent of the 900 enterprise IT pros surveyed indicating they intend to increase their budgets during the next 90 days.
HackerOne reports results of its own bug bounty program for 2015, increases minimum bounty for severe vulnerabilities to $10K.
HackerOne describes the Reward Competitiveness dimension of the HackerOne Success Index.
HackerOne releases new Signal and Impact metrics to better describe researcher report history. Signal is the average Reputation per report. Impact is the average Reputation per bounty.
Looking for the perfect holiday gift for the favorite hackers in your life? Whether their interests lie in building stuff, breaking stuff or (better yet) building cool stuff to break other stuff, the creativity of your fellow security researchers knows no bounds.
The good news/bad news statistics are flowing this month as a smorgasbord of new security studies and reporting paint the current state of the union.
HackerOne describes the Vulnerabilities Fixed dimension of the HackerOne Success Index.
I am joining HackerOne as its CEO because the company is on an important mission for our connected society. Our world is increasingly networked, and as a result increasingly vulnerable. Securing our environment is not only important to preventing cybercrime, but also to defending basic human rights and freedoms.
The recent Senate approval of the Cybersecurity Information Sharing Act (CISA) has the very industry it's supposed to help abuzz with contention. Some believe the legislation is a good first step toward improving how the public and private sector share and analyze security threat indicators, enabling both sectors to more quickly react to new cyberattack patterns.
HackerOne new feature announcements November 2015 include Improved Triggers, Automated Scanner Detection, SAML Support, and new Integrations.
HackerOne introduces Disclosure Assistance to help hackers reach organizations that don't have official vulnerability reporting processes.
HackerOne introduces the HackerOne Success Index, a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs.
As we discussed in our previous blog, the security skills shortage may not be quite as real as some industry reports claim it to be. But that doesn't mean it's easy to recruit and retain talented professionals into the industry. It just means many organizations are blaming market dynamics for their own shortcomings.
Is there actually a 'brain drain' or talent shortage in cybersecurity, or are there more fundamental problems in the industry? I posed these questions to a number of friends in the industry and the perspectives ran the gamut.
HackerOne's Katie Moussouris explains the Vulnerability Disclosure Maturity Model, a way to help organizations measure, benchmark and improve their security vulnerability handling capabilities.
HackerOne new feature announcements August 2015 include Group Permissions, Researcher Messaging, and Summarized Public Reports.
HackerOne hosted a security panel, lead by Magoo, on bug bounty programs and we want to share some key takeaways with you.
In anticipation of the show, here at Within Security we've scoped out some of the top tools slated for release by researchers scheduled to talk at Mandalay.
HackerOne reached the milestone of 10,000 bugs fixed on the platform, and we want to take this opportunity to share some interesting data behind how we have tackled the challenge of improving signal on the platform.
We're excited to announce a $25 million Series B round of financing led by New Enterprise Associates (NEA) and several prominent angel investors, along with participation from existing investor, Benchmark.
HackerOne is launching the Directory: a community-curated resource for identifying the best way to contact an organization's security team.
A world wide war is being waged in which the most able-bodied soldiers are being discouraged from enlisting. It is an information security war, and hackers are the troops and the weapon designers that have the skills to shape our collective future, for good or for ill.
At HackerOne we believe in the power of the research community as an effective way to harden any attack surface. Encouraging, promoting and protecting security research has been integral to our mission since day one. As a key next step in fulfilling this commitment, we are thrilled to announce that Stepto has joined the HackerOne team as the Director of Hacker Success.
HackerOne has been working with economics and policy researchers from MIT and Harvard to study the economic forces behind the 0day market. Here's what they found.
While there are many interpretations of the word "hacker," we choose to pay homage to the original MIT hackers by using the term in our company name. We favor their early definition of a hacker: "one who enjoys the intellectual challenge of creatively overcoming limitations."
Many security professionals, hackers, lawyers, law enforcement, and members of the media are keenly interested in the White House's proposed changes to laws affecting Internet security. Among the proposed amendments to the Computer Fraud and Abuse Act (CFAA), some of the proposed changes that represent the biggest concerns center around expanded language that pose an increased risk to performing many vulnerability research and security testing activities, and even reporting on breaches.
Last Friday, on my way home from 31c3, a funny thing happened on my way through Charles de Gaulle airport in Paris: I was required by a security agent to not only power up, but also type in my password to unlock my laptop in order to board my flight.
With the end of 2014 dashing to a close and 2015 just over the hill, let's take a moment to look at the ghosts of bugs and breaches past. Vulnerability coordination, disclosure, and incident response have never been more important to get right. What could happen if we make adjustments in the way we approach security and how could that impact the bugs that will inevitably be delivered to both the naughty and nice in the future?
One of the primary challenges when running a vulnerability coordination program is distinguishing the signal from the noise. Today, we're introducing a new reputation system to make running a program even easier.
At HackerOne, we're on a mission to empower the world to build a safer internet. Better security begins with a quality vulnerability coordination process, and our free platform enables your team to seamlessly manage the entire workflow. Think of it as a replacement for your old shared security inbox.
For the past year, we've been busy pursuing our passions and building HackerOne. We're excited to share a little more what we've been up to, what's next, and how we hope you can be a part of our mission.