Skip to main content

Dear McDonalds, Where's Your Security@?

  • January 18th , 2017

Recently, McDonald's customers were placed at risk unnecessarily due to the lack of a clear vulnerability disclosure process. What if they had had a “security@” email address set up for receiving reports? The U.S. Department of Defense refers to this as "See something, say something" for the digital domain.

Unfortunately, too many companies like McDonald’s still do not have open lines of communication with the security community. As many as 94% of the companies in the Forbes Global 2000 do NOT have a known vulnerability disclosure program.

Our mission at HackerOne is to empower the world to build a safer internet. We would love nothing more than to reverse that 94%, and today’s announcement is a big step in making that dream a reality...

Introducing Email Forwarding, which enables you to have security@ emails sent directly to your HackerOne Security Inbox. If a friendly hacker discovers a vulnerability and sends their finding in an email to "security@example.org", the content of that email becomes a new report that lands in your Inbox.

This lets you supercharge your email-powered security@ with the sophisticated HackerOne platform that enables efficient handling of incoming vulnerability reports at scale.

Best of all, it's FREE.

Alt text

Benefits of Security@ Email Forwarding

  1. Trust. Email forwarding allows you to see the reputation, signal, and impact of submitters from the largest hacker community in the world (more signal, less noise).
  2. Compliance with the ISO 29147 vulnerability reporting standard ensures your team follows best practices.
  3. Tap into the power of the platform. HackerOne’s advanced features such as triggers, common responses, duplicate detection, report classification, signal requirements, a bi-directional API and much more allow you to work far more effectively compared to a legacy email solution.
  4. Stop. Email. Spam. Say goodbye to spammers trying to sell the latest weight loss drug, or Solomon Odonkoh describing his exciting business proposition. A registration process to complete the submission stops unsolicited bulk email spam in its tracks.
  5. It’s free!

Setup instructions:

  1. Go to Settings > Program > Hacker Management > Email Forwarding
  2. Click on “Add email address” to step through the wizard
  3. Configure your email to forward to the unique HackerOne email address given. Common aliases are "security@", "secure@", "psirt@", or "cert@".
  4. Run a test to ensure the setup is successful... and you’re all set!
  5. If you haven't already, you'll now want to publish this email address in an easily discoverable location for security researchers. Anyone who discovers this email address will be able to submit reports to your program.

Alt text

Let us know what you think at feedback@hackerone.com. To see upcoming as well as previously released features, check out our public product roadmap at https://hackerone.com/roadmap.

Nisha Nallasivam, Andrew Wong, Jan Deelstra and the HackerOne team

PS - Intrigued by HackerOne, but not yet a customer? Learn more about getting started with the program that’s right for you (77% of customers receive a bug within the first day).

Recent articles

H1-415 Hackathon Delivers to Customers, Community, and Hackers

Just a few short weeks ago, an elite group of hackers huddled in conference rooms in a San Francisco high-rise…

Introducing CWE-based Weaknesses

HackerOne updated their vulnerability taxonomy to include a more complete weakness suite based on the industry-…

Intel launches its first bug bounty program

Our friends at Intel have an exciting announcement! Their bug bounty program is live.