Cross-Directional Consistency & Transparency on the HackerOne PlatformHackerOne is a marketplace through which organizations can address security vulnerabilities with security researchers, and security researchers can be rewarded for their skills. As the owner of the marketplace, it’s the responsibility of HackerOne to ensure the participants have as much information as possible to make informed engagement decisions. This leads to:Increased hacker engagementBetter marketplace efficiencyMore consistent program standards and expectationsWhat To Expect With Security Page UpdatesIn the interest of increased program consistency, our security page updates provide new structured sections and other improvements, including:Program IntroductionA dedicated section to briefly introduce the program.Open/Closed ScopeThe program strategy for handling submissions. This is always visible under Program Highlights.Closed ScopeThe program only accepts submissions on assets listed in its scope. This is the default value.Open ScopeThe program accepts and rewards submissions for owned assets even if not listed in its scope. Top-tier programs that are further along in their security journey may enable this option to elevate their security posture. Organizations with this declaration can see major benefits from increased hacker engagement and the knowledge of important bugs discovered outside of scoped assets.Security researchers have expressed positive feedback about this option, as it shows that the organization takes a “pay-for-value” approach, rewarding any report that prompts action, whether the asset is in scope or not. For out-of-scope assets, the reward will match the impact-based rewards defined for similar in-scope impacts. Fast Payment CommitmentThe program is committed to paying within one month of report submission.Gold Standard Safe HarborThe program follows Gold Standard Safe Harbor rules.Platform StandardsThe program indicates their position on Platform Standards (fully compliant vs. with deviations)Exemplary StandardsThe program indicates how they go beyond standards.Scope ExclusionsThe program indicates categories of reports that are not considered valid. These exclusions refer to any that go beyond HackerOne’s “Core Ineligible Findings.” While most programs may not need to indicate any exclusions, as the Core Ineligible Findings list is quite comprehensive, programs can communicate exclusions clearly in the event they are necessary.Top Response EfficiencyPrograms with response efficiency above 90% receive a positive badging highlight.New Program Profile User InterfaceA modern, mobile-friendly layout with an improved navigation system.Benefits for Security Researchers and CustomersIncreasing consistency across the board, the security page updates provide practical benefits for both hackers and customers.Enhanced TransparencyThe updated security page features create a structured approach that simplifies understanding of program requirements and policies, enabling researchers to make informed decisions and engage more effectively. The preset declaration fields make it easier for security researchers to quickly parse the information they need to determine whether they wish to engage with a program.For organizations, a clearer, more prescriptive program page will result in fewer misunderstandings, mediations, and unexpected expenses.Streamlined OnboardingStandardized declarations and a user-friendly interface reduce setup time, making onboarding faster and more efficient for customers and hackers. With over a decade of experience managing over 3,500 successful programs, HackerOne also provides guidance and best practices for customers to manage their programs — and these updates make it easier for organizations to implement those recommendations.Improved EngagementA structured format and clear guidelines increase hacker engagement by making it easier for them to find information and submit valid reports. This also improves triage efficiency and accuracy, reducing confusion and errors.Better User ExperienceNew interface features, including fast payment commitments and efficiency badging, improve the customer and hacker experience, making program management and participation more rewarding.Build the Best Bug Bounty Program for Your Security NeedsWith these important updates to the HackerOne Platform, security researchers and customers benefit from increased program consistency. To learn more about how to build the best bug bounty program for your organization’s security needs, speak to a security expert at HackerOne. Current customers with questions about the security page updates, please speak to your Customer Success Manager for more information.
Security Page Updates: Boosting Consistency & Transparency for Security Researchers and Customers
Related Posts
Nokia investigates breach after hacker claims to steal source code
Nokia is investigating whether a third-party vendor was breached after a hacker claimed to be selling the company’s stolen source code. “Nokia is aware of reports that an unauthorized actor…
CISA Director Easterly seeks to quell concerns about election security
U.S. elections have “never been more secure,” said Cybersecurity and Infrastructure Security Agency Director Jen Easterly in public comments days before the 2024 presidential election, as officials seek to quell…