Skip to main content

August 2015 Feature Announcements

  • August 15th , 2015

We wanted to highlight a few new features we've added to HackerOne over the past month. These features are available to use right now for vulnerability disclosure program administrators and we hope you check them out.

  • Permissions
  • Message Researchers
  • More Control Over Disclosure

1. Permissions [Settings > Group Management]

Now HackerOne program administrators can set access rights for different team members who might play different roles on your team. Two popular use cases expressed by customers were read-only access and limiting those who could award bounties. This can help with awarding bounties predictably and consistently.

All program teams start with three default groups: Read-only, Admin and Standard, with the ability to create additional custom groups. Find Permissions at Settings > Group Management.

Group Management SettingsGroup Management Settings

2. Message Researchers [Settings > Message Researchers]

Program owners can now send messages directly to hackers, whether you want to update them on scope changes, bounty awards or simply give them a reason to re-engage your program. Messages can be sent to any number of hackers - even just one.

Note that your options will vary slightly depending if your program is open to all reporters, or if you are running an invitation-only program.

Researcher MessagingResearcher Messaging

3. More Control Over Disclosure [Reports > Request public disclosure, or top right of report]

When an organization chooses to publicly disclose a vulnerability report, there is now the option to write a summary along with a partial timeline (i.e., some sensitive information is redacted). Any public impact (or lack thereof) can also be added. This way you can provide additional context regarding a report and share knowledge with the research community without revealing potentially sensitive information. These visibility settings can be found in HackerOne under Reports > Request public disclosure, or under report information in the top-right section.

A Limited timeline hides the original report and comments, showing only a Summary written by the program owner and a partial timeline. Here's an outstanding example of a summarized disclosure from the Rails team:

For comparison, here is a Full timeline, which is our recommended best practice: disclosing the original report, timeline and comments. Here's an example of a Full timeline disclosure by HackerOne:

Summarized Public ReportSummarized Public Report

We welcome your feedback on these launched features, along with suggestions for new features. That's how we help our customers meet more of their needs and help make their users safer, so please contact with any questions, feedback, or requests.

Recent articles

Announcing The Largest DoD bug bounty challenge ever: Hack The Air Force

The Air Force is asking hackers to take their best shot following the success of Hack the Pentagon and Hack the…

Zero Daily Newsletter: Fun, yet informative, AppSec, bug bounty, and hacker news

Read the news every day, and check the usual websites? Want to get your industry news and have a little humor…

More Hardware, More Problems

Bounties are for hardware, too. Microwaves notwithstanding, there is an increasing amount of connected…