Security Page Updates: Boosting Consistency & Transparency for Security Researchers and Customers
HackerOne has launched new updates to the HackerOne Platform program security pages that standardize policy fields, addressing current inconsistencies and ultimately driving more hacker engagement. This is part of a larger “Platform Standards” initiative to increase consistency and transparency between security researchers and the HackerOne customer programs they hack on and encourage standardized requirements for bug bounty programs. Let’s dive into the importance of program consistency for hackers and customers with HackerOne, what to expect from the security page updates, and the benefits of these updates for both hackers and organizations.
Cross-Directional Consistency & Transparency on the HackerOne Platform
HackerOne is a marketplace through which organizations can address security vulnerabilities with security researchers, and security researchers can be rewarded for their skills. As the owner of the marketplace, it’s the responsibility of HackerOne to ensure the participants have as much information as possible to make informed engagement decisions. This leads to:
- Increased hacker engagement
- Better marketplace efficiency
- More consistent program standards and expectations
What To Expect With Security Page Updates
In the interest of increased program consistency, our security page updates provide new structured sections and other improvements, including:
Program Introduction
A dedicated section to briefly introduce the program.
Open/Closed Scope
The program strategy for handling submissions. This is always visible under Program Highlights.
Closed Scope
The program only accepts submissions on assets listed in its scope. This is the default value.
Open Scope
The program accepts and rewards submissions for owned assets even if not listed in its scope. Top-tier programs that are further along in their security journey may enable this option to elevate their security posture. Organizations with this declaration can see major benefits from increased hacker engagement and the knowledge of important bugs discovered outside of scoped assets.
Security researchers have expressed positive feedback about this option, as it shows that the organization takes a “pay-for-value” approach, rewarding any report that prompts action, whether the asset is in scope or not. For out-of-scope assets, the reward will match the impact-based rewards defined for similar in-scope impacts.
Fast Payment Commitment
The program is committed to paying within one month of report submission.
Gold Standard Safe Harbor
The program follows Gold Standard Safe Harbor rules.
Platform Standards
The program indicates their position on Platform Standards (fully compliant vs. with deviations)
Exemplary Standards
The program indicates how they go beyond standards.
Scope Exclusions
The program indicates categories of reports that are not considered valid. These exclusions refer to any that go beyond HackerOne’s “Core Ineligible Findings.” While most programs may not need to indicate any exclusions, as the Core Ineligible Findings list is quite comprehensive, programs can communicate exclusions clearly in the event they are necessary.
Top Response Efficiency
Programs with response efficiency above 90% receive a positive badging highlight.
New Program Profile User Interface
A modern, mobile-friendly layout with an improved navigation system.
Benefits for Security Researchers and Customers
Increasing consistency across the board, the security page updates provide practical benefits for both hackers and customers.
Enhanced Transparency
The updated security page features create a structured approach that simplifies understanding of program requirements and policies, enabling researchers to make informed decisions and engage more effectively. The preset declaration fields make it easier for security researchers to quickly parse the information they need to determine whether they wish to engage with a program.
For organizations, a clearer, more prescriptive program page will result in fewer misunderstandings, mediations, and unexpected expenses.
Streamlined Onboarding
Standardized declarations and a user-friendly interface reduce setup time, making onboarding faster and more efficient for customers and hackers. With over a decade of experience managing over 3,500 successful programs, HackerOne also provides guidance and best practices for customers to manage their programs — and these updates make it easier for organizations to implement those recommendations.
Improved Engagement
A structured format and clear guidelines increase hacker engagement by making it easier for them to find information and submit valid reports. This also improves triage efficiency and accuracy, reducing confusion and errors.
Better User Experience
New interface features, including fast payment commitments and efficiency badging, improve the customer and hacker experience, making program management and participation more rewarding.
Build the Best Bug Bounty Program for Your Security Needs
With these important updates to the HackerOne Platform, security researchers and customers benefit from increased program consistency. To learn more about how to build the best bug bounty program for your organization’s security needs, speak to a security expert at HackerOne. Current customers with questions about the security page updates, please speak to your Customer Success Manager for more information.
The 8th Annual Hacker-Powered Security Report