First Half 2017 Product Update: HackerOne
By Soufiane Houri, VP of Product at HackerOne
Our engineering and product teams improve the HackerOne platform every month. We continuously build, test, and ship enhancements with our customers in mind, and we announce many of these features individually on our blog.
HackerOne customers and prospects now have a summary of our market-leading platform improvements over the past six months, below. Also included are details on our new product launches, HackerOne Challenge and HackerOne Community Edition.
Major feature improvements:
Bi-directional JIRA integration
Security and engineering work together to build great software, so it was important for HackerOne to integrate with issue tracking and development platforms. We revamped our integration with the most common platform, Atlassian’s JIRA. We now support full bi-directional integration, making it easier than ever for developers and security engineers to stay in sync.
Bi-directional Phabricator integration
We’re a Phabricator shop here at HackerOne. We built this integration both to better understand our users’ concerns and to keep our own infosec and dev teams connected. This two-way integration syncs changes (e.g., new comments) between the two platforms.
Disclosure Assistance 2.0
At HackerOne, we want to help hackers make the entire internet more secure. We offer a free service to any hacker who has found a vulnerability on a web application without clear reporting guidance. Our Disclosure Assistance helps connect hackers to companies, and it keeps vulnerabilities off of social media and out of first-tier support inboxes. In 2017, we made improvements to our Disclosure Assistance - first launched back in 2015 - that make it even easier for hackers to submit all types of vulnerabilities through H1.
Official support for reward currencies
Ever wanted to hack your way to a free vacation? HackerOne now supports paying hackers in reward currencies - like airline miles - with a seamless system integration and payment process. Companies running on HackerOne can provide payment guidance in miles (e.g. Lufthansa), and HackerOne will ensure the payout reaches the hackers.
Advanced Workflows with Inbox Views
Many of our larger customers have incredibly advanced vulnerability disclosure workflows. In response to those customers’ requests, we now allow customers to customize the Views in their HackerOne Inbox. This permits security teams to track certain vulnerabilities separately by creating, updating, removing and rearranging HackerOne Inbox views.
Security@ email forwarding
We want to empower all companies to set up a Security@ email contact, and we want to make it easy for hackers and companies to communicate. With the introduction of Email Forwarding, any emails sent to your Security@ email can be forwarded to your HackerOne Inbox. Friendly hackers that discover a vulnerability will have both a clear email address to report it, and that email will find a home in your H1 platform.
Common Weakness Enumeration
We updated our vulnerability taxonomy to include a more complete weakness suite based on the industry-standard Common Weakness Enumeration (CWE). Filter reports based on that weakness or set up triggers for reports that feature a weakness.
Bug bounty statistics
Customers often ask about what their peers are paying for bugs. Now when you pay a bounty, we provide suggestions on the amount, using data from our 800+ bounty paying programs. These statistics can help you gauge your reward competitiveness, and they make it easier to provide consistent and clear bounty awards.
New product launches:
Now it is possible for everyone to run time-bound security tests using our elite hackers and our market-leading platform. We have helped customers from Airbnb to the U.S. Department of Defense run controlled, private security tests on their web application surfaces. HackerOne Challenge is a four-week, turnkey engagement with no customer management required, and it culminates in a custom report summarizing all findings.
We at HackerOne have open source software on our resumes, in our stack, and in our minds for inspiration. We believe strongly in giving back to collaborative and open development, and we want to help foundations and developers build more secure software. Open source projects now may register for a free copy of HackerOne Professional.
Additional feature improvements:
Enhanced VDP experience
Customers that select our VDP offering no longer have to deal with bounty-related functionality and statistics.
Updates via the program profile page
Provide hackers in your program with a new way to see updates to the policy, bounties, or product releases.
Get a quick summary of your program performance in the past month and see any open action items.
The hacktivity feed is now shown on program pages, including a view of the all-time upvoted reports.
For more complicated, multi-business unit enterprise programs, share balances, transfer reports, share Thanks pages, and even join all child programs when joining the parent.
We made some upgrades to the H1 API: add a reference to a company’s internal issue tracker, make it easier to see the date of someone’s last activity, filter reports based on usernames, and more improvements to endpoints.
Hacker specific improvements
Hackers will see a reason their tax form was rejected, and we’ve made it easier to edit attachments, edit report titles, and download all bounties in a CSV format for accounting.
Inbox & report improvements
View reports without signing in, filter by severity, redact reports before going public, and other improvements designed to make it easier to run a bounty program and pay hackers.
Other exciting highlights include:
- Simplified self-service for customer to request prepayment invoices
- Social share icons on program pages
- Custom messages when inviting new hackers
- Filter on spam reports in the dashboard
- Improved OFAC (U.S. Treasury) screening for hackers
- New email templates for all emails
- System trigger when bounty balance is low
- Improved user interface
- Improved guidance for programs going public
- Greater power for team admins to disable notifications
Thanks to all our customers and hackers from everyone on the H1 product team!
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.