Security Page Updates: Boosting Consistency & Transparency for Security Researchers and Customers

August 1, 2024 Chris Evans

Cross-Directional Consistency & Transparency on the HackerOne Platform

HackerOne is a marketplace through which organizations can address security vulnerabilities with security researchers, and security researchers can be rewarded for their skills. As the owner of the marketplace, it’s the responsibility of HackerOne to ensure the participants have as much information as possible to make informed engagement decisions. This leads to:

  • Increased hacker engagement
  • Better marketplace efficiency
  • More consistent program standards and expectations

What To Expect With Security Page Updates

In the interest of increased program consistency, our security page updates provide new structured sections and other improvements, including:

Program Introduction

A dedicated section to briefly introduce the program.

Open/Closed Scope

The program strategy for handling submissions. This is always visible under Program Highlights.

Closed Scope

The program only accepts submissions on assets listed in its scope. This is the default value.

Open Scope

The program accepts and rewards submissions for owned assets even if not listed in its scope. Top-tier programs that are further along in their security journey may enable this option to elevate their security posture. Organizations with this declaration can see major benefits from increased hacker engagement and the knowledge of important bugs discovered outside of scoped assets.

Security researchers have expressed positive feedback about this option, as it shows that the organization takes a “pay-for-value” approach, rewarding any report that prompts action, whether the asset is in scope or not. For out-of-scope assets, the reward will match the impact-based rewards defined for similar in-scope impacts. 

Fast Payment Commitment

The program is committed to paying within one month of report submission.

Gold Standard Safe Harbor

The program follows Gold Standard Safe Harbor rules.

Platform Standards

The program indicates their position on Platform Standards (fully compliant vs. with deviations)

Exemplary Standards

The program indicates how they go beyond standards.

Scope Exclusions

The program indicates categories of reports that are not considered valid. These exclusions refer to any that go beyond HackerOne’s “Core Ineligible Findings.” While most programs may not need to indicate any exclusions, as the Core Ineligible Findings list is quite comprehensive, programs can communicate exclusions clearly in the event they are necessary.

Top Response Efficiency

Programs with response efficiency above 90% receive a positive badging highlight.

New Program Profile User Interface

A modern, mobile-friendly layout with an improved navigation system.

Benefits for Security Researchers and Customers

Increasing consistency across the board, the security page updates provide practical benefits for both hackers and customers.

Enhanced Transparency

The updated security page features create a structured approach that simplifies understanding of program requirements and policies, enabling researchers to make informed decisions and engage more effectively. The preset declaration fields make it easier for security researchers to quickly parse the information they need to determine whether they wish to engage with a program.

For organizations, a clearer, more prescriptive program page will result in fewer misunderstandings, mediations, and unexpected expenses.

Streamlined Onboarding

Standardized declarations and a user-friendly interface reduce setup time, making onboarding faster and more efficient for customers and hackers. With over a decade of experience managing over 3,500 successful programs, HackerOne also provides guidance and best practices for customers to manage their programs — and these updates make it easier for organizations to implement those recommendations.

Improved Engagement

A structured format and clear guidelines increase hacker engagement by making it easier for them to find information and submit valid reports. This also improves triage efficiency and accuracy, reducing confusion and errors.

Better User Experience

New interface features, including fast payment commitments and efficiency badging, improve the customer and hacker experience, making program management and participation more rewarding.

Build the Best Bug Bounty Program for Your Security Needs

With these important updates to the HackerOne Platform, security researchers and customers benefit from increased program consistency. To learn more about how to build the best bug bounty program for your organization’s security needs, speak to a security expert at HackerOne. Current customers with questions about the security page updates, please speak to your Customer Success Manager for more information.

Previous Article
Tips for Parents Working from Home from HackerOne Employees
Tips for Parents Working from Home from HackerOne Employees

At HackerOne, we've witnessed our parents craft impressive solutions to blend their professional and person...

Next Article
Introducing HackerOne Gateway Internal Network Testing: Superior Security for Internal Networks
Introducing HackerOne Gateway Internal Network Testing: Superior Security for Internal Networks

Our Solution: Precision Internal Network Testing with Zero Trust ControlWe are excited to introduce Gateway...