We wanted to highlight a few new features we've added to HackerOne over the past month. These features are available to use right now for vulnerability disclosure program administrators and we hope you check them out.
- Message Researchers
- More Control Over Disclosure
1. Permissions [Settings > Group Management]
Now HackerOne program administrators can set access rights for different team members who might play different roles on your team. Two popular use cases expressed by customers were read-only access and limiting those who could award bounties. This can help with awarding bounties predictably and consistently.
All program teams start with three default groups: Read-only, Admin and Standard, with the ability to create additional custom groups. Find Permissions at Settings > Group Management.
Group Management Settings
2. Message Researchers [Settings > Message Researchers]
Program owners can now send messages directly to hackers, whether you want to update them on scope changes, bounty awards or simply give them a reason to re-engage your program. Messages can be sent to any number of hackers - even just one.
Note that your options will vary slightly depending if your program is open to all reporters, or if you are running an invitation-only program.
3. More Control Over Disclosure [Reports > Request public disclosure, or top right of report]
When an organization chooses to publicly disclose a vulnerability report, there is now the option to write a summary along with a partial timeline (i.e., some sensitive information is redacted). Any public impact (or lack thereof) can also be added. This way you can provide additional context regarding a report and share knowledge with the research community without revealing potentially sensitive information. These visibility settings can be found in HackerOne under Reports > Request public disclosure, or under report information in the top-right section.
A Limited timeline hides the original report and comments, showing only a Summary written by the program owner and a partial timeline. Here's an outstanding example of a summarized disclosure from the Rails team: https://hackerone.com/reports/49935
For comparison, here is a Full timeline, which is our recommended best practice: disclosing the original report, timeline and comments. Here's an example of a Full timeline disclosure by HackerOne: https://hackerone.com/reports/46916
Summarized Public Report
We welcome your feedback on these launched features, along with suggestions for new features. That's how we help our customers meet more of their needs and help make their users safer, so please contact firstname.lastname@example.org with any questions, feedback, or requests.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.