First Half 2017 Product Update: HackerOne

Jun 29 2017
luke

By Soufiane Houri, VP of Product at HackerOne

Our engineering and product teams improve the HackerOne platform every month. We continuously build, test, and ship enhancements with our customers in mind, and we announce many of these features individually on our blog.

HackerOne customers and prospects now have a summary of our market-leading platform improvements over the past six months, below. Also included are details on our new product launches, HackerOne Challenge and HackerOne Community Edition.

We are committed to our customers’ success, aiming to align our roadmap to our customers’ current and future needs. Submit a feature request and of course we would love to hear from you directly!

Major feature improvements:

Bi-directional JIRA integration

HackerOne loves JIRA: more improvements, fewer clicks

Security and engineering work together to build great software, so it was important for HackerOne to integrate with issue tracking and development platforms. We revamped our integration with the most common platform, Atlassian’s JIRA. We now support full bi-directional integration, making it easier than ever for developers and security engineers to stay in sync.

Bi-directional Phabricator integration

We’re a Phabricator shop here at HackerOne. We built this integration both to better understand our users’ concerns and to keep our own infosec and dev teams connected. This two-way integration syncs changes (e.g., new comments) between the two platforms.

Disclosure Assistance 2.0

At HackerOne, we want to help hackers make the entire internet more secure. We offer a free service to any hacker who has found a vulnerability on a web application without clear reporting guidance. Our Disclosure Assistance helps connect hackers to companies, and it keeps vulnerabilities off of social media and out of first-tier support inboxes. In 2017, we made improvements to our Disclosure Assistance - first launched back in 2015 - that make it even easier for hackers to submit all types of vulnerabilities through H1.

Official support for reward currencies

Ever wanted to hack your way to a free vacation? HackerOne now supports paying hackers in reward currencies - like airline miles - with a seamless system integration and payment process. Companies running on HackerOne can provide payment guidance in miles (e.g. Lufthansa), and HackerOne will ensure the payout reaches the hackers.  

Advanced Workflows with Inbox Views

Many of our larger customers have incredibly advanced vulnerability disclosure workflows. In response to those customers’ requests, we now allow customers to customize the Views in their HackerOne Inbox. This permits security teams to track certain vulnerabilities separately by creating, updating, removing and rearranging HackerOne Inbox views.

Security@ email forwarding

We want to empower all companies to set up a Security@ email contact, and we want to make it easy for hackers and companies to communicate. With the introduction of Email Forwarding, any emails sent to your Security@ email can be forwarded to your HackerOne Inbox. Friendly hackers that discover a vulnerability will have both a clear email address to report it, and that email will find a home in your H1 platform.

Common Weakness Enumeration

We updated our vulnerability taxonomy to include a more complete weakness suite based on the industry-standard Common Weakness Enumeration (CWE). Filter reports based on that weakness or set up triggers for reports that feature a weakness.

Bug bounty statistics

Customers often ask about what their peers are paying for bugs. Now when you pay a bounty, we provide suggestions on the amount, using data from our 800+ bounty paying programs. These statistics can help you gauge your reward competitiveness, and they make it easier to provide consistent and clear bounty awards.

New product launches:

HackerOne Challenge

Now it is possible for everyone to run time-bound security tests using our elite hackers and our market-leading platform. We have helped customers from Airbnb to the U.S. Department of Defense run controlled, private security tests on their web application surfaces. HackerOne Challenge is a four-week, turnkey engagement with no customer management required, and it culminates in a custom report summarizing all findings.

HackerOne Community

We at HackerOne have open source software on our resumes, in our stack, and in our minds for inspiration. We believe strongly in giving back to collaborative and open development, and we want to help foundations and developers build more secure software. Open source projects now may register for a free copy of HackerOne Professional.

Additional feature improvements:

Enhanced VDP experience

Customers that select our VDP offering no longer have to deal with bounty-related functionality and statistics.

Updates via the program profile page

Provide hackers in your program with a new way to see updates to the policy, bounties, or product releases.

Monthly digest

Get a quick summary of your program performance in the past month and see any open action items.

Hacktivity

The hacktivity feed is now shown on program pages, including a view of the all-time upvoted reports.

Program hierarchy

For more complicated, multi-business unit enterprise programs, share balances, transfer reports, share Thanks pages, and even join all child programs when joining the parent.

API improvements

We made some upgrades to the H1 API: add a reference to a company’s internal issue tracker, make it easier to see the date of someone’s last activity, filter reports based on usernames, and more improvements to endpoints.

Hacker specific improvements

Hackers will see a reason their tax form was rejected, and we’ve made it easier to edit attachments, edit report titles, and download all bounties in a CSV format for accounting.

Inbox & report improvements

View reports without signing in, filter by severity, redact reports before going public, and other improvements designed to make it easier to run a bounty program and pay hackers.

Other exciting highlights include:

  • Simplified self-service for customer to request prepayment invoices
  • Social share icons on program pages
  • Custom messages when inviting new hackers
  • Filter on spam reports in the dashboard
  • Improved OFAC (U.S. Treasury) screening for hackers
  • New email templates for all emails
  • System trigger when bounty balance is low
  • Improved user interface
  • Improved guidance for programs going public
  • Greater power for team admins to disable notifications

Thanks to all our customers and hackers from everyone on the H1 product team!

 


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.

Related Posts