HackerOne’s Approach to Triage
By Jobert Abma
This is part 1 in a series of blog posts on HackerOne’s Triage Services.
Triage is critical to any vulnerability disclosure process or bug bounty program. Similar to triaging in a hospital emergency room, it’s crucial that issues are diagnosed as soon as they arrive.
Someone needs to go through the process of determining what the next step is and hand it off accordingly. A good Security Analyst will ask: What is the potential impact? Do we have enough information to continue? Who is the right person to hand it off to? People who do triaging always ask themselves, what is the next step?
Many of our customers prefer to handle triage themselves and we fully support that. That’s one of the benefits of working with us on your bug bounty program: we offer choice and services to blend with your team’s needs.
However, we realize that responding to the incoming security reports is “interrupt-driven” work and can be time consuming. So about a year ago, to help our customers solve that problem, we started building a dedicated group to help: the HackerOne Security Analyst Team.
Meet the Extension of your Security Team
HackerOne’s Security Analyst Team have a depth of experience across disciplines. ALL of them are active hackers, with a pulse on the firehose of reports, 0-days, and vulnerabilities large and small. Our team understands the security concepts inside and out and know how hackers think and communicate - because they are hackers themselves!
A little about the team:
Over 30-years of combined experience in application security, hacking, and triaging.
Geographically diverse, covering all North American, South American, African, and European timezones for ultimate coverage.
Depth of knowledge with prior experience at Facebook, Google, Zenefits, Snapchat, and more.
In a future post, our Manager of Triage Services Zach will go through even more details about the amazing team we’ve assembled and continue to grow.
Triage is just the first step
Keeping hackers involved throughout the process is not always easy and many of our customers grapple with how to do this effectively. This isn’t surprising. Your team’s priority is made up of their normal projects plus rolling out patches for the identified security vulnerabilities. We’ve learned that keeping the hacker involved and informed throughout the entire process is key to the success of your program.
At HackerOne, we go far beyond triaging for our customers. The Security Analyst team helps reproducing the reports, uses a strict report format for your team to work with for easy hand-off, gives remediation advice, and helps testing implemented fixes. They also work with your Technical Account Manager to help fine tune your bug bounty program. Like Wendy said, we’re an extension of your security or engineering team.
With our top-notch Security Analysts, we help our customers run some of the best performing HackerOne programs. Our international team allows us to work across different time zones, corresponding with hackers in more than ten languages. The ability of our team and geographic diversity results in an average time to first response of 11 hours.
The best programs on HackerOne have the best triaging
Their first responders jump on new tickets fast and escalate tickets accordingly. By relying on HackerOne’s extensive experience and working directly with the customer, we manage to help our customers run the best bug bounty programs on the planet.
To reiterate, responsiveness is very important when you interact with hackers.
Let me ask you this, would you go back to a hospital for medical care if you’d have to wait for weeks before someone made a decision on what to do?
No, and your company's health is no different. We’re here to help!
Engage HackerOne’s Triage Experts
HackerOne’s knowledgeable triage team will validate vulnerabilities, remove false positives, de-duplicate reports, assign severity, provide remediation guidance to your development team and for invalid reports, the Security Analyst will explain the reasons behind rejections to the hacker. Which means you and your team can focus on fixing verified vulnerabilities, streamlining the time from valid report submission to code fixes minimizing any window of opportunity for a malicious attack.