What were the top five most viewed public vulnerability reports on HackerOne in the second quarter of 2016? Read to find out!
Ask HackerOne anything on Thursday 25th August 2016 at 9am Pacific.
We want our hackers to be successful and are giving away a free copy of Peter Yaworski’s excellent Web Hacking 101 e-book.
We are excited to announce that as of today, mlitchfield has earned $500,000 in total bug bounties on HackerOne!
HackerOne hosted a live bug bounty event with Zenefits, Snapchat and Panasonic Avionics. Hackers earned more than $150,000 in bounties for over 225 reported vulnerabilities.
Here are our top five rules for creating an excellent bug bounty security page. Outlining a crystal clear scope helps hackers know what is (and is not!) going to net them a bounty. Transparency between hackers and security teams is vital to a successful bug bounty program.
Let’s get a quick update on the Hack the World competition and see how things are progressing.
Hacker cinema from the 1990’s upon original release, were criticized as being “dubious,” “unrealistic,” and “implausible.” Today, we’ll be looking at the movie “Hackers” and evaluating whether it was ahead of its time or just Hollywood pixie dust.
This post is the first in a series highlighting top hackers on HackerOne. These hall-of-famers are extremely talented bug hunters and continuously dominate the leaderboards and thanks pages. In this first post, we are thrilled to highlight, Meals!
This blog post will give you more insights about how injection vulnerabilities work, and how you can use that knowledge to find more bugs.
Announcing our Hack The World 2016 hacker competition running from July 20th 2016 to September 19th 2016.
Better bug reports = better relationships = better bounties! Whether you are new to bounty programs or a bounty veteran, these tips on how to write good reports are useful for everyone!
Today we are launching Policy Diffing. On every single team page, you will now be able to see when the policy was last changed, and you will be able to see all policy changes for the program.
Welcome to episode #1 of our Hacktivity Highlights blog series where we take a closer look at top publicly disclosed vulnerability report.
Now security teams can edit the vulnerability types after the report has been submitted. With this improvement, teams can expect to have more accurate vulnerability data.
Back in November 2015, HackerOne welcomed our new CEO, Mårten Mickos, to the ranks. A native Finn living in San Francisco, Mårten has a long history building successful companies.
Ever stumbled upon a vulnerability, but had no idea how to share it with the affected organization? HackerOne can help! We’ve blogged about “Disclosure Assistance” before, but we wanted to talk about it again, as there have been some changes.
Upvote hacker activities and see what's popular on Hacktivity
The New HackerOne Leaderboard ranks reputation, signal and impact data in a simple tabular format.
The U.S. Federal Government’s first ever bug bounty program, managed by HackerOne, is now complete. Learn how it launched, what results came in, and what the Pentagon learned for the next bug bounty experience.
Uber’s Collin Greene shares advice on on running a high quality bug bounty program from the mistakes made launching and leading the Facebook and Uber programs. This blog originally appeared on Medium.
Announcing new product editions - Professional, Enterprise and Security@. Along with HackerOne Managed and Pilots, the same HackerOne power can be tailored to every organization’s needs.
Life is complicated, bug bounties should not be. Here’s a comic illustrating how bug bounty programs work by Fred Chung.
Two years after a settlement with the FTC, has ASUS still not learned how to receive vulnerability reports from hackers? Last February, the Taiwanese hardware manufacturer, ASUS, and the Federal Trade Commission (FTC) settled charges that the manufacturer failed to protect consumers.
Now Hackers can earn even more on HackerOne! Introducing badges, now available on Hacker profiles in the badges sidebar.
Organizations that sign up for HackerOne all agree to our Disclosure Guidelines. This means that the Hacker community is protected against legal prosecution if they follow the guidelines. We wrote these Disclosure Guidelines when we started HackerOne because we believe that the hacker community should be protected when they have good intentions. These guidelines are designed to enable Hackers to proactively look for security bugs in our customers’ systems.
The first version of our API is now available! The API augments the HackerOne interface to empower you to build the best bug bounty programs.
There is nothing like revisiting a movie that was ahead of its time. Sneakers is one of these movies.
Public programs on HackerOne may publicly disclose vulnerabilities. Here’s how and why so many companies choose to add to body of security knowledge and help enable a safer Internet.
To help security programs manage the expectations of participating hackers, we are rolling out a new program metrics feature, to be displayed on individual Security@ pages.
We explore Hacker Breadth and Depth with data from over 2,500 active hackers participating in hundreds of programs.
Talented hackers are the key ingredient for any successful bug bounty program. Here are five ways to attract them and improve your program.
Anyone with computer skills and high degree of curiosity can become a successful finder of vulnerabilities. Here’s how I started.
What bugs do people want to read about? These are the top 5 publicly disclosed bugs on HackerOne for 2016 to date.
Organizations are leveraging bug bounty programs like never before, yet few know how to budget for it. Here are the basics of bug bounty budgeting.
This week, we had the pleasure of hosting 50 Belgian technology students, who were on a tour of Silicon Valley technology companies. We had the opportunity to share our experience as entrepreneurs, but mostly we discussed hacking and security because, that is what we live and breathe at HackerOne.
When you discover a vulnerability, fixing it is not just a matter of applying a quick patch to solve the immediate problem. You also need to do a root cause analysis, delving deep into the foundation of the problem. While these might sound basic, even mature companies with sophisticated security methodologies sometimes overlook these six steps.
On Thursday, March 31, 2016, the Department of Defense, arguably the world's most powerful organization, announced it will partner with HackerOne for the "Hack the Pentagon" pilot program.
Hackers in our community often share overviews of their security research in their blogs, and we love checking them out. In the spirit of sharing more hacker knowledge, we've compiled a list of hacker blogs that we regularly read. HackerOne doesn't have any influence over the content contained in these blog posts.
One of the most common questions we get from hackers is "How can I get along better with bounty admins or security teams?" Here are general guidelines to help maximize your interaction with those on the other side of the security@ inbox.
We are excited to share that Uber is launching its public bug bounty program today on HackerOne. Additionally, Uber and HackerOne collaborated to create a new way of rewarding hackers called bonuses, which enables security teams to give additional monetary awards to hackers beyond initial bounties. The Uber loyalty program will utilize HackerOne bonuses for additional incentives in its public program.
One of the most important things to be successful is creating a friendly and open environment, being responsive on issues and pull requests, and making time to manage the workload. Open source projects don't start as a community, but you can build one.
What happens when the very thing your company offers gets put to a surprise test? That's what happened to HackerOne last Friday when we shipped an unknown vulnerability that could have affected many of our customers. It was the ultimate dogfooding experience, and we've chosen to share our story with you here.
HackerOne improves the quality of vulnerability reports received in public bug bounty programs with Signal Requirements and Rate Limiter. Signal Requirements allow a company to set the threshold for Signal that hackers must reach in order to submit reports to them. The updated Rate Limiter provides hackers the opportunity to still participate in a limited way, even if they are below the Signal requirement.
We improved the hacker invitation system for private vulnerability coordination and bug bounty programs. The new system operates more transparently and ensures that top hackers are invited to more private programs.
Have you thought about becoming a hacker? Getting started is easier than you think. We've curated some of the best resources to help you build skills, whether you're a beginner or looking to improve your hacker-craft.
A vital part of success in vulnerability coordination is quickly acknowledging, validating, and ultimately fixing submitted issues and recognizing the researcher's effort.
Great hackers never curb their curiosity. Increased recognition of their contribution is helping more companies understand that they are a valued partner, not an adversary.
A recent study by 451 Research shows that security spending continues to be strong, with 44.5 percent of the 900 enterprise IT pros surveyed indicating they intend to increase their budgets during the next 90 days.
HackerOne reports results of its own bug bounty program for 2015, increases minimum bounty for severe vulnerabilities to $10K.
HackerOne describes the Reward Competitiveness dimension of the HackerOne Success Index.
HackerOne releases new Signal and Impact metrics to better describe researcher report history. Signal is the average Reputation per report. Impact is the average Reputation per bounty.
Looking for the perfect holiday gift for the favorite hackers in your life? Whether their interests lie in building stuff, breaking stuff or (better yet) building cool stuff to break other stuff, the creativity of your fellow security researchers knows no bounds.
The good news/bad news statistics are flowing this month as a smorgasbord of new security studies and reporting paint the current state of the union.
HackerOne describes the Vulnerabilities Fixed dimension of the HackerOne Success Index.
I am joining HackerOne as its CEO because the company is on an important mission for our connected society. Our world is increasingly networked, and as a result increasingly vulnerable. Securing our environment is not only important to preventing cybercrime, but also to defending basic human rights and freedoms.
The recent Senate approval of the Cybersecurity Information Sharing Act (CISA) has the very industry it's supposed to help abuzz with contention. Some believe the legislation is a good first step toward improving how the public and private sector share and analyze security threat indicators, enabling both sectors to more quickly react to new cyberattack patterns.
HackerOne new feature announcements November 2015 include Improved Triggers, Automated Scanner Detection, SAML Support, and new Integrations.
HackerOne introduces Disclosure Assistance to help hackers reach organizations that don't have official vulnerability reporting processes.
HackerOne introduces the HackerOne Success Index, a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs.
As we discussed in our previous blog, the security skills shortage may not be quite as real as some industry reports claim it to be. But that doesn't mean it's easy to recruit and retain talented professionals into the industry. It just means many organizations are blaming market dynamics for their own shortcomings.
Is there actually a 'brain drain' or talent shortage in cybersecurity, or are there more fundamental problems in the industry? I posed these questions to a number of friends in the industry and the perspectives ran the gamut.
HackerOne's Katie Moussouris explains the Vulnerability Disclosure Maturity Model, a way to help organizations measure, benchmark and improve their security vulnerability handling capabilities.
HackerOne new feature announcements August 2015 include Group Permissions, Researcher Messaging, and Summarized Public Reports.
HackerOne hosted a security panel, lead by Magoo, on bug bounty programs and we want to share some key takeaways with you.
In anticipation of the show, here at Within Security we've scoped out some of the top tools slated for release by researchers scheduled to talk at Mandalay.
HackerOne reached the milestone of 10,000 bugs fixed on the platform, and we want to take this opportunity to share some interesting data behind how we have tackled the challenge of improving signal on the platform.
We're excited to announce a $25 million Series B round of financing led by New Enterprise Associates (NEA) and several prominent angel investors, along with participation from existing investor, Benchmark.
HackerOne is launching the Directory: a community-curated resource for identifying the best way to contact an organization's security team.
A world wide war is being waged in which the most able-bodied soldiers are being discouraged from enlisting. It is an information security war, and hackers are the troops and the weapon designers that have the skills to shape our collective future, for good or for ill.
At HackerOne we believe in the power of the research community as an effective way to harden any attack surface. Encouraging, promoting and protecting security research has been integral to our mission since day one. As a key next step in fulfilling this commitment, we are thrilled to announce that Stepto has joined the HackerOne team as the Director of Hacker Success.
HackerOne has been working with economics and policy researchers from MIT and Harvard to study the economic forces behind the 0day market. Here's what they found.
While there are many interpretations of the word "hacker," we choose to pay homage to the original MIT hackers by using the term in our company name. We favor their early definition of a hacker: "one who enjoys the intellectual challenge of creatively overcoming limitations."
Many security professionals, hackers, lawyers, law enforcement, and members of the media are keenly interested in the White House's proposed changes to laws affecting Internet security. Among the proposed amendments to the Computer Fraud and Abuse Act (CFAA), some of the proposed changes that represent the biggest concerns center around expanded language that pose an increased risk to performing many vulnerability research and security testing activities, and even reporting on breaches.
Last Friday, on my way home from 31c3, a funny thing happened on my way through Charles de Gaulle airport in Paris: I was required by a security agent to not only power up, but also type in my password to unlock my laptop in order to board my flight.
With the end of 2014 dashing to a close and 2015 just over the hill, let's take a moment to look at the ghosts of bugs and breaches past. Vulnerability coordination, disclosure, and incident response have never been more important to get right. What could happen if we make adjustments in the way we approach security and how could that impact the bugs that will inevitably be delivered to both the naughty and nice in the future?
One of the primary challenges when running a vulnerability coordination program is distinguishing the signal from the noise. Today, we're introducing a new reputation system to make running a program even easier.
At HackerOne, we're on a mission to empower the world to build a safer internet. Better security begins with a quality vulnerability coordination process, and our free platform enables your team to seamlessly manage the entire workflow. Think of it as a replacement for your old shared security inbox.