Skip to main content

New Security Inbox & Dashboard

  • August 28th , 2014

At HackerOne, we're on a mission to empower the world to build a safer internet. Better security begins with a quality vulnerability coordination process, and our free platform enables your team to seamlessly manage the entire workflow. Think of it as a replacement for your old shared security inbox.

Since our launch in early 2013, we've enabled nearly 100 organizations to work with security researchers to safely resolve over 3,500 bugs, awarding over one million dollars in bounties in the process! Over the past month, we've been rolling out some great new features that make the vulnerability coordination process even easier.

New Security Inbox

We've redesigned the HackerOne interface to enable faster and more efficient bug processing. With this new, intuitive layout, you can navigate through your entire list of bugs on the left side of the screen, with each bug's details opening in a pane on the right. As a result, individual reports now open inline, which means no more clicking forward and backward to navigate between bugs! This interface was also designed to take advantage of all of your screen space, especially if you have a larger display.

HackerOne security inbox - bugs overview

Search

We're also rolling out one of the features that you've requested most frequently: search. Filtering search allows you to quickly target the bug you're looking for, without having to scroll or remember the last time you engaged with it, saving you time and energy.

Bulk Actions

Bulk actions are even easier in the new interface with support for applying the same action to multiple reports with a single click. Combine it with search and filters to save even more time.

A couple of scenarios in which this could come in handy are:

  • Assigning a batch of reports to a team member
  • Closing a series of related reports based on a search criteria
  • Merging duplicate reports of the same underlying issue

HackerOne security inbox - bulk actions

Insights Dashboard

Our brand new Dashboard enables unparalleled insight into your security response posture with metrics gleaned from around-the-clock security assessments. Monitor your team's stats in real-time to effortlessly stay on top of response time, stale issues, pending disclosures, and more. This is a powerful way to stay up to date with your team's status at a glance and proactively identify potential areas in need of attention.

HackerOne security inbox - dashboard and reporting

Keyboard Shortcuts

To improve the speed and efficiency of your workflow, we've added several keyboard shortcuts for even faster navigation. We'll be adding more soon, so stay tuned!

Integration, Communication, and Automation

These efficiency-enhancing features have been built in to the HackerOne platform for a while, but are worth mentioning here:

  • Integrates directly with your existing internal bug tracking system - No cutting and pasting from email or other report formats to file a bug with your internal teams! We currently support many popular bug tracking systems (JIRA, Bugzilla, Phabricator, and more). If we don't support yours, we'll build support for it.
  • Customizable Common Responses - We have several common responses we've built in to the platform to help your response team get up and running as efficiently as possible. Add your own that map to your common scenarios.
  • Automated response triggers - Don't Repeat Yourself. You've got better things to do than respond to another known false positive. We give you the ability to create custom triggers to deal with certain bugs automatically, freeing your response team to focus on the most critical reports.

Our goal is to make the vulnerability coordination process as efficient and smooth as possible, and we believe that these features are another big step in that direction, whether you offer a bug bounty or not. We hope they make your life easier. Let us know what you'd like to see us build next.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

Introducing Reputation

  • October 28th , 2014

Edited on 12/11/2015 to reflect the latest Reputation implementation.

One of the primary challenges when running a vulnerability coordination program is distinguishing signal from noise. Our former colleagues at Facebook evaluate over 20 invalid submissions for each valid report - that's only 4.6% signal! The programs hosted at HackerOne have fared a bit better: on average 19% of reports are valid, but some outliers deal with as low as 6%. This noise is undesirable for everyone, driving up response time, introducing unnecessary latency in resolving security issues, and increasing the likelihood that valuable signal will get lost.

The HackerOne vulnerability coordination platform provides security teams with the tools to overcome these challenges. Today, we're turning a beta feature live for everyone: a new reputation system that makes running a program even easier. This system gives additional recognition to the best researchers while more quickly surfacing quality reports to security teams.

The vast majority of security researchers generate reports of consistently high quality. Our analysis shows that the remaining noise stems from a classic tragedy of the commons: a minority of researchers with low confidence submissions hoping to stumble upon a success. But many of these researchers learn and improve with each failed attempt. The challenge for security teams is that past performance is not indicative of future results.

This new reputation system will help provide security teams with the means to more effectively act upon the invaluable information shared by the security community. As a researcher submitting vulnerabilities through the HackerOne platform, your reputation measures how likely your finding is to be immediately relevant and actionable. Reputation is gained or lost based exclusively upon your track record as a researcher.

How it works

You gain reputation when:

  • Your report is Closed as Resolved: +7
  • Your report is Closed as Duplicate (Resolved): +2. Only applied if reported before the original was closed.
  • You are awarded a bounty. The amount is based on standard deviation from the program's mean:
    • +50: $ >= µ + 1σ
    • +25: $ > µ
    • +15: $ >= µ - 1σ
    • +10: $ < µ - 1σ
  • Your report is Closed as Informative: 0
  • Your report is Closed as Duplicate (Informative): 0

You lose reputation when:

  • Your report is Closed as Not Applicable: -5
  • Your report is Closed as Duplicate (Not Applicable): -5
  • Your report is Closed as Duplicate (Resolved and Public at time of submission): -5

Other details:

  • We believe everyone deserves the benefit of the doubt. Researchers begin with a reputation of 100. Reputation cannot decrease below 0.
  • You'll always have access to a detailed log of reputation history.
  • Reputation will never be necessary to access core functionality on the platform to ensure it remains accessible to new or anonymous users.
  • Our approach draws inspiration from two communities we're fond of.

The most visible manifestation of the new reputation system will be its usage as a ranking mechanism for the many Thanks pages on the platform. In the near future, we'll also be announcing a number of privileges that are gained by maintaining a high reputation, such as becoming eligible to receive invitations to private bounty programs.

Finally, and most importantly, we're now tying our rate limiting system directly to reputation. Should your reputation decrease, the system will gradually reduce the number of submissions allowed in a given time period. We believe it is critical to this community that response teams be afforded a high-signal environment so that they can focus on providing a quality response to researchers who turn in the best vulnerabilities.

HackerOne is committed to empowering the world to build a safer Internet, and building the most useful platform for vulnerability coordination is central to that mission. We welcome feedback on this new reputation system, and we hope response teams and researchers will enjoy the benefits of even higher quality reports and faster response times.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

Where's that Security@?

  • June 4th , 2015

All technology contains bugs. These bugs frequently have security implications that may be exploited by criminals, but are more often discovered by friendly parties — security researchers, academics, hackers, vendors, professionals, even law enforcement — who want nothing more than to see the flaw resolved safely. Due to this inescapable reality, it is critical that all organizations who build technology also have a safe process for vulnerability disclosure.

Unfortunately, many disclosure attempts from researchers continue to fall on deaf ears, and all Internet users are at increased risk as a result. This issue was recently highlighted in a letter to the Internet Policy Task Force:

Researchers who discover a serious security flaw in a piece of software or website should not have to spend hours or days searching for the contact information for the information security team at the company or organization responsible for the vulnerable code.

[...]

Providing security researchers with an easy way to report vulnerabilities is not just an industry best practice (ISO 29147, it is now a key component of what the Federal Trade Commission considers "reasonable and appropriate security."

We agree.

That's why we're launching the HackerOne Directory: a community-curated resource for identifying the best way to contact an organization's security team. Increasingly important, the Directory will also document the existence of the organization's responsible disclosure policy and any associated bug bounty programs.

HackerOne DirectoryImage: The HackerOne Directory

Researchers

  • Share your disclosure experiences and add security team contact information to the Directory so others can benefit from your work.
  • When you need to contact a security team, search the Directory for their contact information.
  • If an organization hasn't published security contact information anywhere, we recommend considering assistance from your local CERT.

Organizations

  • Publish contact information for receiving information about potential vulnerabilities in your products or online services, such as a security@ email address or a HackerOne program. See ISO 29147 for additional guidance or contact us.
  • Search the Directory for your organization to ensure that your security team's contact information and disclosure policy is accurate.

Empowering security researchers to perform their important work more efficiently is central to our mission, and we hope this Directory will prove to be a useful resource. Questions, complaints, or suggestions? All feedback is important to us and we'd welcome hearing from you.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

August 2015 Feature Announcements

  • August 15th , 2015

We wanted to highlight a few new features we've added to HackerOne over the past month. These features are available to use right now for vulnerability disclosure program administrators and we hope you check them out.

  • Permissions
  • Message Researchers
  • More Control Over Disclosure

1. Permissions [Settings > Group Management]

Now HackerOne program administrators can set access rights for different team members who might play different roles on your team. Two popular use cases expressed by customers were read-only access and limiting those who could award bounties. This can help with awarding bounties predictably and consistently.

All program teams start with three default groups: Read-only, Admin and Standard, with the ability to create additional custom groups. Find Permissions at Settings > Group Management.

Group Management SettingsGroup Management Settings

2. Message Researchers [Settings > Message Researchers]

Program owners can now send messages directly to hackers, whether you want to update them on scope changes, bounty awards or simply give them a reason to re-engage your program. Messages can be sent to any number of hackers - even just one.

Note that your options will vary slightly depending if your program is open to all reporters, or if you are running an invitation-only program.

Researcher MessagingResearcher Messaging

3. More Control Over Disclosure [Reports > Request public disclosure, or top right of report]

When an organization chooses to publicly disclose a vulnerability report, there is now the option to write a summary along with a partial timeline (i.e., some sensitive information is redacted). Any public impact (or lack thereof) can also be added. This way you can provide additional context regarding a report and share knowledge with the research community without revealing potentially sensitive information. These visibility settings can be found in HackerOne under Reports > Request public disclosure, or under report information in the top-right section.

A Limited timeline hides the original report and comments, showing only a Summary written by the program owner and a partial timeline. Here's an outstanding example of a summarized disclosure from the Rails team: https://hackerone.com/reports/49935

For comparison, here is a Full timeline, which is our recommended best practice: disclosing the original report, timeline and comments. Here's an example of a Full timeline disclosure by HackerOne: https://hackerone.com/reports/46916

Summarized Public ReportSummarized Public Report

We welcome your feedback on these launched features, along with suggestions for new features. That's how we help our customers meet more of their needs and help make their users safer, so please contact support@hackerone.com with any questions, feedback, or requests.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

A Maturity Model for Vulnerability Coordination

  • September 22nd , 2015

Take the Vulnerability Coordination Maturity Model survey today!

By Katie Moussouris

The question for all organizations isn't if, but when someone will discover a vulnerability in your software or systems. Do you have a graceful way to deal with that vulnerability report? What you do about it next can determine how it affects your organization, your customers, and your ability to defend against threats.

It's time for something new to talk about in the well-trodden vulnerability disclosure discussion: a Vulnerability Coordination Maturity Model, also described here on Youtube. This is a new and practical open guide to help organizations measure, benchmark, and improve their vulnerability handling capabilities when someone reports a security bug to them.

A Maturity Model for Vulnerability Coordination

Inspired by other familiar maturity models in secure software development, threat response, and others, we recognized a gap in the practical guidance in vulnerability coordination for not just software companies, but all organizations. We have released this model to help both established organizations as well as new vendors currently increasing their dependence on internet-connected software.

The Vulnerability Coordination Maturity Model will help organizations:

  • Assess their preparedness to respond to vulnerability reports and act on them.
  • Build a list of activities to enhance their abilities to respond to security bug reports in their own software or services.
  • Create a roadmap towards improving their vulnerability coordination and security over time.

Well over a decade ago, before the ISO standard for vulnerability disclosure (29147) and vulnerability handling processes (30111) were even a glimmer in the eye of the original editor, security researchers, hackers, and companies were wrestling with one of the oldest and most contentious debates in software: what is the best way to disclose a security vulnerability? I've written many thoughts over the years, and I've authored vulnerability disclosure policies for the largest software companies in the world. Yet we stand once again at the brink of another attempt to establish common best practices among security researchers, who find vulnerabilities, and those who are responsible for fixing them. My hope for this multistakeholder event is that we can together support strategies for coordinating vulnerabilities between hackers and vendors, as well as between vendors themselves, as was the case with Heartbleed.

Enter the Vulnerability Coordination Maturity Model, that takes best practices, cites the existing ISO standards, and describes how they can be augmented with even better capabilities. The maturity model shows how to take a beginner's level of vulnerability coordination and turn it into powerful ways to improve defense by leaps, possibly even disrupting adversaries with the knowledge gained.

Below are the five capability areas at the heart of the Vulnerability Coordination Maturity Model.

We are excited to bring you this Maturity Model as a tool to benchmark your current capabilities and a resource to return to in order to measure your organizational improvements over time. It is a practical and simple guide to get you started, no matter if you have simple capabilities or if you are highly sophisticated and are looking to tune your investment in vulnerability coordination to achieve the best outcomes.

There's a saying we in security are fond of: never waste a good crisis. That means each vulnerability reported to you isn't necessarily a crisis, but it's something to remind you that code is written by humans, who are flawed, yet we are also great at improving ourselves when motivated and given guidance to do so.

Take the Self-Assessment Survey

Take the Vulnerability Coordination Maturity Model survey and see how your organization stacks up, and where you need to invest in securing your products, learning from your mistakes, or download the slides that describe the model here. We can't wait to hear from you with questions, suggestions, and success stories of learning from your vulnerabilities to build safer software sooner.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

Measuring Success in Vulnerability Disclosure

  • November 4th , 2015

By HackerOne Customer Success and Data Science Teams

At HackerOne, we're deeply interested in the success of vulnerability disclosure programs, and are constantly striving to better understand just what drives their success. To shed light on what contributes to a successful program, we've been analyzing our unique set of data from hundreds of organizations.* Based on this, we're excited to share the HackerOne Success Index (HSI), a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs. The index calculates six dimensions, from 1 to 10, by which programs can benchmark their success each month. We briefly discuss each dimension below, and we'll explore them in more depth over the course of this series.

Success is Multidimensional

Our investigation shows that success doesn't simply come from doing well on a single dimension, but rather across a combination of them. Successful HackerOne programs — those that consistently receive valid, security-enhancing reports — excel in a variety of the six distinct but interconnected dimensions below:

1. Vulnerabilities Fixed

Simply put, to be a thriving program, you need to receive and resolve vulnerability reports. The most successful programs also receive a wide array of vulnerability types across different security aspects. Performance in the other indexes will affect the volume and quality of vulnerabilities fixed.

2. Reward Competitiveness

Higher bounties tend to attract higher reputation researchers who find more severe vulnerabilities, though there isn't a simple linear relationship between reward level and activity. In fact, as our index quantifies, there are successful programs that offer no financial rewards at all.

3. Response Efficiency

Researchers appreciate clear, timely communication. The data show that programs that respond quickly to new reports, and keep open communication channels during the triage and resolution process, tend to get more reports and more repeat researchers, leading to a virtuous, security-enhancing cycle. In addition, the timely resolution of vulnerabilities reduces the risk of potential exploitation, leading to greater security.

4. Researcher Depth

Researchers who repeatedly investigate your products are going to find more severe vulnerabilities as they learn your code. It's (data) science. Not to mention that repeat researchers tend to produce better reports, and have smoother communication with your team, as you work together over time. This metric also takes into account the Reputation of contributors, since the data show that high reputation researchers are more capable of finding critical issues.

5. Researcher Breadth

This is where Linus's law, "given enough eyeballs, all bugs are shallow," really kicks in. With a large-enough testing group, problems in your code will be found quickly and fixes identified more efficiently. This is one of the reasons successful HackerOne programs continually add new researchers until ultimately opening up publicly, at which time they leverage the greatest potential testing pool on the planet: the entire population of the Internet.

6. Signal Ratio

The measure of valid reports against the total number of issues received is a primary indicator of the value gained from a program (check out our blogpost on signal). A high signal ratio means more actual vulnerabilities identified, and ultimately fixed, for the same amount of time spent triaging and responding. While we've made great strides in improving signal across the platform, it remains our top area of focus, and we have additional enhancements coming soon.

The result of putting these dimensions together is an advanced framework for quantifying impact and assessing the performance of these programs.

Dimension Input Factors*
Vulnerabilities Fixed number of vulnerability reports resolved, breadth of vulnerabilities resolved
Reward Competitiveness average bounty, number of bounties, bounty award structure, maximum bounty
Response Efficiency report close time, first response time, bounty time, triage time
Researcher Depth sum of contributor reputation, number of repeat contributors
Researcher Breadth number of new and existing contributors, public program
Signal Ratio percent clear signal, percent nominal signal

*Factors are ordered by their weights

Successful programs neither display a single HSI profile, nor necessarily have high marks in every single dimension. These indices will reflect a variety of circumstances, notably the program's goals and organizational characteristics like security maturity, size, and attack surface.


Take, for example, these spider chart visualizations of the HSI for two successful programs, graphically representing two large enterprise programs: one that offers bounties, and one that does not. Program 1, on the left, is one of the most successful programs in our dataset, topping the charts for Vulnerabilities Fixed and Researcher Breadth and Depth--advantages for public programs--and getting high marks in Reward Competitiveness as well. Program 2, on the right, also does very well in most dimensions, despite offering no monetary bounty at all. These examples suggest two things. First, you can clearly have a successful disclosure program without offering bounties, but with a slight cost to Researcher Breadth and Depth. Second, you should ignore dogma and use data to determine which incentives produce the ideal outcome for your organization and its unique circumstances.

Over the coming weeks, we'll further explore these dimensions in a series of blog posts that describe what goes into each one, show data on why that facet of the program is important, and make recommendations for how programs can improve their performance. As we operationalize the HSI, we are exploring ways to make it accessible to all HackerOne programs on an on-going basis. Contact the team now for a preview of your program's Success Index.

**Note: The Success Index is based entirely off of transaction data with no access to teams' vulnerability information.*

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

411 for Hackers: Disclosure Assistance

  • November 5th , 2015

By Alex Rice

When a vulnerability is found, it needs to get into the right hands quickly. This is the only way to ensure it will be resolved safely without public harm. To aid in this process, earlier this year we introduced the Directory to identify the best way to report potential vulnerabilities directly to the organizations that can resolve them.

After adding thousands of pages to the Directory, we were troubled by how few organizations made it easy for external parties to responsibly report vulnerabilities. A whopping 94 percent of Forbes' Global 2000 have no established channel for receiving external vulnerability reports. Of the top 100 publicly traded companies in the Global 2000, only 13 percent have disclosure programs. Taking a closer look, we found that none of the top 10 automotive, healthcare, insurance or pharmaceutical companies in the Global 2000 have an established channel for receiving vulnerability reports. In fact, ING is the only financial services company in the top 100 with a vulnerability disclosure program. Similarly, United Airlines is the only airline in the Global 2000 with a formal policy.

It's risky for security researchers to report vulnerabilities to organizations that lack formal policies. Will the researcher receive a warm welcome, a cold shoulder, a punitive lawsuit, or a visit from law enforcement? This uncertainty intensifies a chilling effect that causes vulnerabilities to go unreported and the Internet to be less safe than it could be. It's in our collective best interest to help friendly hackers be able to disclose vulnerabilities to any organization.

In the physical world, "If you see something, say something." is a core tenet of any safe community. The same should be true online, yet far too often good samaritans are pressured to "say nothing." Encouraging strong relationships with organizations and the hacker community is key to creating a safer Internet for all. The HackerOne Directory aims to reduce risk for the individual and help close this crucial gap.

So, How Does it Work?

If you're attempting to report a security vulnerability, search the Directory to locate that organization's official vulnerability reporting process. If the organization has no defined process, look for "Disclosure Assistance" to request help in contacting the organization. HackerOne will then take steps to identify the organization's official vulnerability reporting process and will notify you once that process has been documented so you can connect directly. HackerOne never receives vulnerability reports on an organization's behalf.

Why offer Disclosure Assistance?

Organizations typically publish a vulnerability disclosure policy with guidance on how they want to receive information related to potential vulnerabilities in their products or online services (see ISO 29147). In the absence of a vulnerability disclosure policy, attempts to report security vulnerabilities often carry considerable legal risk for the security researcher, causing many to simply withhold vulnerability information or publish anonymously. In these cases, it is impossible to achieve an optimal outcome that ensures security vulnerabilities are safely resolved.

It is in our collective best interests that this scenario be avoided. If you have been unsuccessful in contacting an organization regarding the responsible disclosure of a potential security vulnerability, HackerOne can offer assistance. We will take steps to identify the organization's official vulnerability disclosure policy.

How does Disclosure Assistance work?

Search for the organization you are attempting to contact in the Directory. If a security contact method has not been published there, select "Disclosure Assistance" and HackerOne will take steps to identify an official process. If we are successful, you will be notified of the process and may submit the vulnerability report to the organization directly. HackerOne does not receive or submit vulnerability information on your behalf.

Please be aware that we cannot guarantee success, so we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ and encourage you to perform other contact attempts in parallel to our effort.

Are there any risks with Disclosure Assistance?

It is impossible to completely eliminate the inherent risks associated with vulnerability disclosure and we recommend familiarizing yourself with the EFF's Vulnerability Reporting FAQ. However, HackerOne Disclosure Assistance may reduce your individual risk in several areas:

  • HackerOne will not accept any vulnerability information during the process, so no additional parties become privy to the disclosure details.
  • HackerOne does not require your identity to complete the process, so you may utilize a pseudonym to remain anonymous.
  • Once the organization's vulnerability disclosure policy is published, you have an opportunity to review it before choosing to make contact.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

November 2015 Feature Announcements

  • November 9th , 2015

We are excited to announce the new features we've added to HackerOne over the last two months. These features are available to use right now and we hope you check them out.

1. Improved Triggers [Settings > Triggers]

Our triggers engine has now been updated with the ability to show an interstitial prior to report submission. When the trigger's criteria has been met, an interstitial appears to convey additional context to the hacker and confirm before the report is submitted. We hope you'll find this feature helps you avoid the submission of a number of out-of-scope or commonly reported false positives.

Here's a live example where ownCloud applied an interstitial trigger to communicate an intentional behavior in their infrastructure:

Interstitial trigger about ownCloud's SPF policyInterstitial trigger about ownCloud's SPF policy

2. Automated Scanner Detection

Automated vulnerability scanners are one of the more common sources of false positives on the platform. To help mitigate their impact, we've updated our report classification engine with detection for common outputs from these scanners that are frequently flagged as invalid by our customers. By allowing the hacker to double check the report before submission, and making the response team aware of its higher propensity to be invalid, we expect the overall quality of submissions to improve. We're continuing to invest heavily in our capabilities around report classification and expect this engine to get even smarter.

This feature is automatically enabled for all programs.

3. SAML [Settings > Authentication]

Improved Single Sign-On options with support for SAML is now available as well. Response teams using an SSO provider to authenticate (such as Okta, Ping Identity, OneLogin, Bitium, and Google Apps) can authentication to their HackerOne programs using those services for centralized authorization and identity management. More information can be found on our help center.

4. Suggest a Bounty [Set Award > Suggest Amount]

We often find that response teams have to meet to determine reward amounts. To assist in this process, we've built inline voting functionality to help teams more easily arrive at consensus. We believe this will also help you ensure more consistency with reward amounts.

Suggest a bounty and discuss with your team-matesSuggest a bounty and discuss with your team-mates

5. Report Abuse [In Report]

Disagreements or contentious discussions may occasionally arise in the course of investigating a report. We've often served as a mediator in these scenarios to assist both parties in arriving at a resolution. If any disagreements or discussions arise about which you'd like an independent opinion, you can now request mediation and our experts will provide guidance.

Request mediation or Ban a researcher from your programRequest mediation or Ban a researcher from your program

6. Additional Integrations

Support for integrating with Slack, Redmine, and Freshdesk are now live. You can find more info on setting up integrations on our Help Center.

We hope you'll find these new features and are looking forward to what's next! Any questions, feedback, or requests? We're always available at support@hackerone.com.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

Expanding Reputation: Introducing Signal and Impact

  • December 18th , 2015

Edited on 4/8/2016 to reflect the latest Signal and Impact implementations.

We first introduced Reputation in October 2014 to provide additional recognition to the best researchers, and to highlight quality reports to security teams. Each researcher has a Reputation based on their track record on HackerOne. Reputation has been continuously improved since its introduction and has become integral to the platform.

To build upon its usefulness as a ranking system, we launched two new dimensions to better show how each researcher's Reputation has been achieved: Signal and Impact.

Why We're Improving Reputation

The existing Reputation system is effective at measuring a consistent track record of valid results, serving as an accurate ranking function. However, it occasionally obscured quality over quantity. The introduction of Signal and Impact helps further highlight quality performance.

New Dimensions: Signal and Impact

Signal & Impact

Signal is the average Reputation per report.
Reputation is gained or lost each time a report is closed, making Signal an aggregate representation of report validity.

Impact is the average Reputation per bounty.
Reputation is gained based on the relative size of the awarded bounty, making Impact an aggregate representation of report severity.

  • Signal and Impact are only calculated when there are more than 3 closed reports or 3 bounties, respectively.
  • Signal is measured on a scale from -10 to 7, corresponding to Reputation changes for triage states ranging from "Spam" to "Resolved." Self closed reports and Duplicate reports are excluded.
  • Impact is measured on a scale from 0 to 50, corresponding to Reputation gains calculated by bounty levels awarded.
  • Impact is only calculated for reports submitted to programs that offer bounties. We also display the percentile rank for Signal and Impact, relative to other researchers on the platform.

Examples

Alice and Bob have the exact same amount of Reputation (241). But Alice has a higher Signal (4.12 > 1.35), indicating a better track record of submitting valid reports. Alice also has a higher Impact (15.83 > 9.50) and therefore, a higher chance of submitting an important report.

This is valuable information for both of them. Alice will see that she is doing quite well with her current trajectory, while Bob will see that others are more accurate about their reports, and can adjust his reporting processes accordingly.

Conclusions

For a response team, Signal provides a means of identifying researchers who have had consistently valid reports while Impact highlights those with the greatest severity. For researchers, we hope both Signal and Impact will help you benefit through an improved understanding of your performance relative to your peers. In the coming months, we'll be incorporating Signal and Impact into other visible areas of HackerOne, such as the invitation system. We hope you'll find them useful and as always, we'd love to hear your thoughts.

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…

Fair and Transparent Hacker Invitations

  • March 10th , 2016

We're happy to share that, based on your feedback, we've improved the hacker invitation system for private vulnerability coordination and bug bounty programs. With this improvement, we've increased the likelihood that top hackers will be invited to private programs. We've also enabled preference settings for hackers who would like only to be invited to programs that offer bounties.

Fair and Transparent Hacker Invitations

The higher a hacker's Reputation, Signal and Impact, the better the chance of receiving invitations to private programs. In our previous algorithm, we relied exclusively on Reputation. Now, anyone with a positive Signal (greater than 0), and with Impact (any value) is considered eligible for private programs. For hackers with a positive Signal, we calculate the average of three values to drive the likelihood of receiving private invitations: (1) Signal Percentile, (2) Impact Percentile and (3) Reputation Percentile. We use the following equation:

We take the average of the three percentiles, with Reputation and Signal weighted more than Impact. We multiply the Signal percentile by 3 and Reputation percentile by 6. We then sum these three products and divide by 10, which generates a score between 0 and 100 for each hacker. A higher score results in a higher chance of getting invited to private programs.

Using this score, we distribute every eligible hacker over a logistic function. Initially, hackers with a higher score will receive the majority of the invites. As the program matures and more hackers are invited, the chances to include hackers with lower scores gradually increases.

In the graph below you can see how the first invitation is distributed over eligible hackers:

We believe that all hackers should have a fair chance to earn invites to private programs, including up-and-coming hackers that may not have as long of a history on HackerOne. To achieve this, we rank Signal just as highly as Reputation. In the previous system, Reputation favored hackers who had been active longer on HackerOne. Now, a newer hacker that has a Signal that is equal to or greater than that of a longer-tenured hacker can receive the same or even more invitations.

Hacker Invitation Preferences

In addition to improvements in the invitation system system, we now also allow hackers to set preferences for receiving invites to private programs.

Preferences also work when hackers are invited directly by username or email address. This benefits hackers and response teams alike. Hackers will only receive invitations to the types of programs in which they are interested, and response teams should see an increase in the rate of participation from hackers they invite to their programs.

Your Feedback Made The Difference

These changes came as a result of helpful feedback we received from the hacker community. Top hackers wanted to see a better relationship between their rankings and the probability of getting invited to more private programs. We believe we have now struck a better balance. Additionally, hackers wanted to have more control over the kinds of programs to which they get invited, based on whether a program pays bounties or not. This is now an easy preference any hacker can set.

If you have any feedback, thoughts or questions about the improved hacker invitation system, we'd love to hear from you. As always, please feel free to contact us at feedback@hackerone.com. Thank you for reading!

Recent articles

The best security initiative you can take in 2017

As CEO of HackerOne, I am thrilled to confirm that, as part of our rapid growth, we have strengthened our…

Bug Bounties Help Keepsafe Secure The Data of 50 Million Consumers

Keepsafe is on a mission to help us keep our private lives as they should be - private. Bug bounties are a big…

Hack The Army Results Are In

The most ambitious Federal bug bounty program to date, Hack the Army, targeted operationally significant…
Subscribe to new-features