Effective vulnerability disclosure programs

Making the internet safer by improving vulnerability research.

#42
Voice authentication bypassed
whistler reported a bug to Playtronics.

The voice authentication system deployed by your company is susceptible to spoofing. As a proof of concept, I've created the following recording to bypass the system.

cosmo changed the status to Triaged.

The attack is partially mitigated by a mandatory second form of authentication (the user's key card). We are investigating further mitigations.

cosmo closed the bug as Resolved.
whistler requested to disclose this bug publicly.
cosmo agreed to disclose this bug publicly.
cosmo rewarded whistler with a $500 bounty.

This was great work, thank you for reporting it to us.

Disclosure is good.

All technology contains bugs. It is inevitable that a member of the public will discover a security bug in your software, and how you respond reflects the maturity of your security program. Maintaining positive relationships with security researchers is one of the most effective means of providing a safe and secure product.

#42
Voice authentication bypassed
whistler reported a bug to Playtronics.

The voice authentication system deployed by your company is susceptible to spoofing. As a proof of concept, I've created the following recording to bypass the system.

cosmo changed the status to Triaged.

The attack is partially mitigated by a mandatory second form of authentication (the user's key card). We are investigating further mitigations.

Disclosure shouldn’t suck.

Our disclosure guidelines remove ambiguity from the disclosure process to ensure that bugs are eliminated safely. Clearly defining permitted behavior through a guided process builds trust and prevents misunderstanding.

cosmo closed the bug as Resolved.
whistler requested to disclose this bug publicly.

Give thanks.

Showing gratitude to those who help keep your users secure is not only the right thing to do, it’s essential to building a more secure product. This gratitude could take many forms: a classic "Thanks", some company schwag, or a bug bounty program.

cosmo agreed to disclose this bug publicly.
cosmo rewarded whistler with a $500 bounty.

This was great work, thank you for reporting it to us.

Why run a disclosure program?

Insanely Effective

Linus' Law: Given enough eyeballs, all bugs are shallow.

Complete Control

You decide which issues are important, and which ones aren't.

Experienced Partners

Our experts are here to support your team at every turn.

Bug Bounties

Want more bugs? Consider showing a little extra appreciation.

Easy Payouts

Forget about tax forms and wire transfers. We take care of everything.

Affordable Pricing

HackerOne is free. If you choose to award bounties, we charge a service fee.

Community

hacker /ha–kər/
One who enjoys the intellectual challenge of creatively overcoming limitations.

We are excited to foster a community of hackers who are incentivized to improve the state of internet security for the world. This group includes security researchers, software engineers, system administrators, and even casual technologists who come across technology in need of improvement.

We hope through this effort, we can remove negative stigma from the ‘hacker’ label and have positive impact for internet citizens worldwide.

Internet Bug Bounty

We are humble hosts of the Internet Bug Bounty, which rewards friendly hackers who contribute to a more secure internet. The program is made possible by the generosity of several sponsors whose entire contributions directly fund the bounties paid to researchers.

Learn more

Our crew

We’re a group of hackers and researchers who have been frustrated by the failings of vulnerability disclosure status quo. Members of our team have managed disclosure programs at Facebook, Google and Microsoft, participated in bug bounty programs, and disclosed vulnerabilities under dubious conditions. Our experiences have left us with a calling to improve vulnerability disclosure for everyone to make the internet more secure.

We believe that all technology contains vulnerabilities, that the public plays a crucial role in identifying these vulnerabilities, and that the subsequent disclosure should be safe, transparent, and rewarding for all involved.

Our crew