The HackerOne Blog

Top 5 Most Viewed Reports For Q2 2016

August 26th, 2016 hacktivity-highlights

What were the top five most viewed public vulnerability reports on HackerOne in the second quarter of 2016? Read to find out!

Read more

Ask Us Anything! Thurs 25th August 2016

August 22nd, 2016

Ask HackerOne anything on Thursday 25th August 2016 at 9am Pacific.

Read more

Hack, Learn, Earn, with a Free E-Book

August 18th, 2016

We want our hackers to be successful and are giving away a free copy of Peter Yaworski’s excellent Web Hacking 101 e-book.

Read more

mlitchfield Earned $500,000 on HackerOne

August 17th, 2016

We are excited to announce that as of today, mlitchfield has earned $500,000 in total bug bounties on HackerOne!

Read more

Viva Hack Vegas - Bug Bounty Hackathon

August 16th, 2016

HackerOne hosted a live bug bounty event with Zenefits, Snapchat and Panasonic Avionics. Hackers earned more than $150,000 in bounties for over 225 reported vulnerabilities.

Read more

Bug Bounty or Bust! Crafting Your Security Page

August 10th, 2016

Here are our top five rules for creating an excellent bug bounty security page. Outlining a crystal clear scope helps hackers know what is (and is not!) going to net them a bounty. Transparency between hackers and security teams is vital to a successful bug bounty program.

Read more

Hack The World: An Update

August 2nd, 2016

Let’s get a quick update on the Hack the World competition and see how things are progressing.

Read more

Hacker Movies We Love: Hackers

July 28th, 2016

Hacker cinema from the 1990’s upon original release, were criticized as being “dubious,” “unrealistic,” and “implausible.” Today, we’ll be looking at the movie “Hackers” and evaluating whether it was ahead of its time or just Hollywood pixie dust.

Read more

HackerOne Hall of Fame - Sean Melia “Meals”

July 27th, 2016

This post is the first in a series highlighting top hackers on HackerOne. These hall-of-famers are extremely talented bug hunters and continuously dominate the leaderboards and thanks pages. In this first post, we are thrilled to highlight, Meals!

Read more

How To Hunt For Injection Vulnerabilities' OR 1='1

July 21st, 2016

This blog post will give you more insights about how injection vulnerabilities work, and how you can use that knowledge to find more bugs.

Read more

Announcing Hack The World 2016 Competition

July 20th, 2016

Announcing our Hack The World 2016 hacker competition running from July 20th 2016 to September 19th 2016.

Read more

Bug Bounty Reports - How Do They Work?

July 19th, 2016

Better bug reports = better relationships = better bounties! Whether you are new to bounty programs or a bounty veteran, these tips on how to write good reports are useful for everyone!

Read more

Never Miss A Policy Change

July 15th, 2016 new-features

Today we are launching Policy Diffing. On every single team page, you will now be able to see when the policy was last changed, and you will be able to see all policy changes for the program.

Read more

Hacktivity Highlights: XSS via SVG

July 14th, 2016

Welcome to episode #1 of our Hacktivity Highlights blog series where we take a closer look at top publicly disclosed vulnerability report.

Read more

Edit a Report's Vulnerability Types

July 13th, 2016 new-features

Now security teams can edit the vulnerability types after the report has been submitted. With this improvement, teams can expect to have more accurate vulnerability data.

Read more

An Interview With HackerOne CEO, Mårten Mickos

July 12th, 2016

Back in November 2015, HackerOne welcomed our new CEO, Mårten Mickos, to the ranks. A native Finn living in San Francisco, Mårten has a long history building successful companies.

Read more

Disclosure Assistance Refresh

July 8th, 2016

Ever stumbled upon a vulnerability, but had no idea how to share it with the affected organization? HackerOne can help! We’ve blogged about “Disclosure Assistance” before, but we wanted to talk about it again, as there have been some changes.

Read more

Get Out the Vote!

June 23rd, 2016 new-features

Upvote hacker activities and see what's popular on Hacktivity

Read more

"I am the greatest!" New HackerOne Quarterly Leaderboards

June 21st, 2016 new-features

The New HackerOne Leaderboard ranks reputation, signal and impact data in a simple tabular format.

Read more

What Was It Like To Hack the Pentagon?

June 17th, 2016

The U.S. Federal Government’s first ever bug bounty program, managed by HackerOne, is now complete. Learn how it launched, what results came in, and what the Pentagon learned for the next bug bounty experience.

Read more

Bug Bounty 5 Years In

June 16th, 2016

Uber’s Collin Greene shares advice on on running a high quality bug bounty program from the mistakes made launching and leading the Facebook and Uber programs. This blog originally appeared on Medium.

Read more

New Ways to Use HackerOne

June 14th, 2016 new-features

Announcing new product editions - Professional, Enterprise and Security@. Along with HackerOne Managed and Pilots, the same HackerOne power can be tailored to every organization’s needs.

Read more

How Bug Bounties Work: A Comic

June 9th, 2016

Life is complicated, bug bounties should not be. Here’s a comic illustrating how bug bounty programs work by Fred Chung.

Read more

ASUS Vulnerability Disclosure Déjà vu

June 8th, 2016

Two years after a settlement with the FTC, has ASUS still not learned how to receive vulnerability reports from hackers? Last February, the Taiwanese hardware manufacturer, ASUS, and the Federal Trade Commission (FTC) settled charges that the manufacturer failed to protect consumers.

Read more

Badges of Honor

June 7th, 2016 new-features

Now Hackers can earn even more on HackerOne! Introducing badges, now available on Hacker profiles in the badges sidebar.

Read more

30 Corporations Commit To Working With Hackers

June 2nd, 2016

Organizations that sign up for HackerOne all agree to our Disclosure Guidelines. This means that the Hacker community is protected against legal prosecution if they follow the guidelines. We wrote these Disclosure Guidelines when we started HackerOne because we believe that the hacker community should be protected when they have good intentions. These guidelines are designed to enable Hackers to proactively look for security bugs in our customers’ systems.

Read more

Announcing the HackerOne API

June 1st, 2016 new-features

The first version of our API is now available! The API augments the HackerOne interface to empower you to build the best bug bounty programs.

Read more

Hacker Movies We Love: Sneakers

May 19th, 2016

There is nothing like revisiting a movie that was ahead of its time. Sneakers is one of these movies.

Read more

Is Public Disclosure Right For You?

May 18th, 2016

Public programs on HackerOne may publicly disclose vulnerabilities. Here’s how and why so many companies choose to add to body of security knowledge and help enable a safer Internet.

Read more

Managing Expectations with Program Metrics

May 11th, 2016 new-features

To help security programs manage the expectations of participating hackers, we are rolling out a new program metrics feature, to be displayed on individual Security@ pages.

Read more

The HackerOne Success Index - Hacker Breadth and Depth

May 5th, 2016

We explore Hacker Breadth and Depth with data from over 2,500 active hackers participating in hundreds of programs.

Read more

5 Ways to Attract Top Hackers To Your Bug Bounty Program

May 2nd, 2016

Talented hackers are the key ingredient for any successful bug bounty program. Here are five ways to attract them and improve your program.

Read more

How to Become a Successful Bug Bounty Hunter

April 21st, 2016

Anyone with computer skills and high degree of curiosity can become a successful finder of vulnerabilities. Here’s how I started.

Read more

Top 5 Most Viewed Bugs of 2016

April 15th, 2016

What bugs do people want to read about? These are the top 5 publicly disclosed bugs on HackerOne for 2016 to date.

Read more

Anatomy Of A Bug Bounty Budget

April 13th, 2016

Organizations are leveraging bug bounty programs like never before, yet few know how to budget for it. Here are the basics of bug bounty budgeting.

Read more

5 Things Top Bug Bounty Hunters Do Differently

April 7th, 2016

This week, we had the pleasure of hosting 50 Belgian technology students, who were on a tour of Silicon Valley technology companies. We had the opportunity to share our experience as entrepreneurs, but mostly we discussed hacking and security because, that is what we live and breathe at HackerOne.

Read more

You Received A Vulnerability Report, Now What? 6 Steps to Resolution

April 5th, 2016

When you discover a vulnerability, fixing it is not just a matter of applying a quick patch to solve the immediate problem. You also need to do a root cause analysis, delving deep into the foundation of the problem. While these might sound basic, even mature companies with sophisticated security methodologies sometimes overlook these six steps.

Read more

Hack the Pentagon Bug Bounty Program Launches on HackerOne

March 31st, 2016

On Thursday, March 31, 2016, the Department of Defense, arguably the world's most powerful organization, announced it will partner with HackerOne for the "Hack the Pentagon" pilot program.

Read more

Hacker Blogs We Love Reading

March 29th, 2016

Hackers in our community often share overviews of their security research in their blogs, and we love checking them out. In the spirit of sharing more hacker knowledge, we've compiled a list of hacker blogs that we regularly read. HackerOne doesn't have any influence over the content contained in these blog posts.

Read more

6 Ways to Build Great Relationships with Security Teams

March 24th, 2016

One of the most common questions we get from hackers is "How can I get along better with bounty admins or security teams?" Here are general guidelines to help maximize your interaction with those on the other side of the security@ inbox.

Read more

Uber Launches First of its Kind Hacker Loyalty Program with HackerOne Bonuses

March 22nd, 2016 new-features

We are excited to share that Uber is launching its public bug bounty program today on HackerOne. Additionally, Uber and HackerOne collaborated to create a new way of rewarding hackers called bonuses, which enables security teams to give additional monetary awards to hackers beyond initial bounties. The Uber loyalty program will utilize HackerOne bonuses for additional incentives in its public program.

Read more

Environment Is Everything, and Other Tips For Your Open Source Project

March 18th, 2016

One of the most important things to be successful is creating a friendly and open environment, being responsive on issues and pull requests, and making time to manage the workload. Open source projects don't start as a community, but you can build one.

Read more

The Smell of Bug Bounty Dogfood in the Morning

March 16th, 2016

What happens when the very thing your company offers gets put to a surprise test? That's what happened to HackerOne last Friday when we shipped an unknown vulnerability that could have affected many of our customers. It was the ultimate dogfooding experience, and we've chosen to share our story with you here.

Read more

Improving Public Bug Bounty Programs with Signal Requirements

March 15th, 2016 new-features

HackerOne improves the quality of vulnerability reports received in public bug bounty programs with Signal Requirements and Rate Limiter. Signal Requirements allow a company to set the threshold for Signal that hackers must reach in order to submit reports to them. The updated Rate Limiter provides hackers the opportunity to still participate in a limited way, even if they are below the Signal requirement.

Read more

Fair and Transparent Hacker Invitations

March 10th, 2016 new-features

We improved the hacker invitation system for private vulnerability coordination and bug bounty programs. The new system operates more transparently and ensures that top hackers are invited to more private programs.

Read more

Useful Online Resources for New Hackers

March 8th, 2016

Have you thought about becoming a hacker? Getting started is easier than you think. We've curated some of the best resources to help you build skills, whether you're a beginner or looking to improve your hacker-craft.

Read more

The HackerOne Success Index - Response Efficiency

February 10th, 2016

A vital part of success in vulnerability coordination is quickly acknowledging, validating, and ultimately fixing submitted issues and recognizing the researcher's effort.

Read more

What Great Hackers Have in Common

February 1st, 2016

Great hackers never curb their curiosity. Increased recognition of their contribution is helping more companies understand that they are a valued partner, not an adversary.

Read more

Enterprise Security Spending on the Rise

January 19th, 2016 withinsecurity

A recent study by 451 Research shows that security spending continues to be strong, with 44.5 percent of the 900 enterprise IT pros surveyed indicating they intend to increase their budgets during the next 90 days.

Read more

HackerOne 2015 Bounty Program Review and New $10K Minimum Bounty

January 13th, 2016

HackerOne reports results of its own bug bounty program for 2015, increases minimum bounty for severe vulnerabilities to $10K.

Read more

The HackerOne Success Index - Reward Competitiveness

January 6th, 2016

HackerOne describes the Reward Competitiveness dimension of the HackerOne Success Index.

Read more

Expanding Reputation: Introducing Signal and Impact

December 18th, 2015 new-features

HackerOne releases new Signal and Impact metrics to better describe researcher report history. Signal is the average Reputation per report. Impact is the average Reputation per bounty.

Read more

Happy Hacker Holiday Gift Guide

December 15th, 2015 withinsecurity

Looking for the perfect holiday gift for the favorite hackers in your life? Whether their interests lie in building stuff, breaking stuff or (better yet) building cool stuff to break other stuff, the creativity of your fellow security researchers knows no bounds.

Read more

What Are Security Fails Really Costing Us?

November 24th, 2015 withinsecurity

The good news/bad news statistics are flowing this month as a smorgasbord of new security studies and reporting paint the current state of the union.

Read more

The HackerOne Success Index - Vulnerabilities Fixed

November 23rd, 2015

HackerOne describes the Vulnerabilities Fixed dimension of the HackerOne Success Index.

Read more

Mårten Mickos: Why I Joined HackerOne as CEO

November 11th, 2015

I am joining HackerOne as its CEO because the company is on an important mission for our connected society. Our world is increasingly networked, and as a result increasingly vulnerable. Securing our environment is not only important to preventing cybercrime, but also to defending basic human rights and freedoms.

Read more

9 Security Thinkers Sound Off On CISA

November 10th, 2015 withinsecurity

The recent Senate approval of the Cybersecurity Information Sharing Act (CISA) has the very industry it's supposed to help abuzz with contention. Some believe the legislation is a good first step toward improving how the public and private sector share and analyze security threat indicators, enabling both sectors to more quickly react to new cyberattack patterns.

Read more

November 2015 Feature Announcements

November 9th, 2015 new-features

HackerOne new feature announcements November 2015 include Improved Triggers, Automated Scanner Detection, SAML Support, and new Integrations.

Read more

411 for Hackers: Disclosure Assistance

November 5th, 2015 new-features

HackerOne introduces Disclosure Assistance to help hackers reach organizations that don't have official vulnerability reporting processes.

Read more

Measuring Success in Vulnerability Disclosure

November 4th, 2015 new-features

HackerOne introduces the HackerOne Success Index, a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs.

Read more

6 Reasons Your Security Recruiting Sucks

October 27th, 2015 withinsecurity

As we discussed in our previous blog, the security skills shortage may not be quite as real as some industry reports claim it to be. But that doesn't mean it's easy to recruit and retain talented professionals into the industry. It just means many organizations are blaming market dynamics for their own shortcomings.

Read more

Is There Really a Cybersecurity Skills Gap?

October 8th, 2015 withinsecurity

Is there actually a 'brain drain' or talent shortage in cybersecurity, or are there more fundamental problems in the industry? I posed these questions to a number of friends in the industry and the perspectives ran the gamut.

Read more

A Maturity Model for Vulnerability Coordination

September 22nd, 2015 new-features

HackerOne's Katie Moussouris explains the Vulnerability Disclosure Maturity Model, a way to help organizations measure, benchmark and improve their security vulnerability handling capabilities.

Read more

August 2015 Feature Announcements

August 15th, 2015 new-features

HackerOne new feature announcements August 2015 include Group Permissions, Researcher Messaging, and Summarized Public Reports.

Read more

Security Leads Share Bug Bounty Program Tips

July 31st, 2015

HackerOne hosted a security panel, lead by Magoo, on bug bounty programs and we want to share some key takeaways with you.

Read more

6 Tools Slated To Come Out Of Black Hat

July 31st, 2015 withinsecurity

In anticipation of the show, here at Within Security we've scoped out some of the top tools slated for release by researchers scheduled to talk at Mandalay.

Read more

Improving Signal Over 10,000 Bugs

July 6th, 2015

HackerOne reached the milestone of 10,000 bugs fixed on the platform, and we want to take this opportunity to share some interesting data behind how we have tackled the challenge of improving signal on the platform.

Read more

Building Security Programs for Tomorrow - HackerOne Announces $25M Series B

June 24th, 2015

We're excited to announce a $25 million Series B round of financing led by New Enterprise Associates (NEA) and several prominent angel investors, along with participation from existing investor, Benchmark.

Read more

Where's that Security@?

June 4th, 2015 new-features

HackerOne is launching the Directory: a community-curated resource for identifying the best way to contact an organization's security team.

Read more

Legally Blind and Deaf - How Computer Crime Laws Silence Helpful Hackers

May 20th, 2015

A world wide war is being waged in which the most able-bodied soldiers are being discouraged from enlisting. It is an information security war, and hackers are the troops and the weapon designers that have the skills to shape our collective future, for good or for ill.

Read more

Meet The Newest Member of the HackerOne Team: Stepto, Director of Hacker Success

April 15th, 2015

At HackerOne we believe in the power of the research community as an effective way to harden any attack surface. Encouraging, promoting and protecting security research has been integral to our mission since day one. As a key next step in fulfilling this commitment, we are thrilled to announce that Stepto has joined the HackerOne team as the Director of Hacker Success.

Read more

The Wolves of Vuln Street - The First System Dynamics Model of the 0day Market

April 14th, 2015

HackerOne has been working with economics and policy researchers from MIT and Harvard to study the economic forces behind the 0day market. Here's what they found.

Read more

What's in a Name?

February 26th, 2015

While there are many interpretations of the word "hacker," we choose to pay homage to the original MIT hackers by using the term in our company name. We favor their early definition of a hacker: "one who enjoys the intellectual challenge of creatively overcoming limitations."

Read more

Proposed Changes to the Computer Fraud and Abuse Act, Austin Powers, and You

January 16th, 2015

Many security professionals, hackers, lawyers, law enforcement, and members of the media are keenly interested in the White House's proposed changes to laws affecting Internet security. Among the proposed amendments to the Computer Fraud and Abuse Act (CFAA), some of the proposed changes that represent the biggest concerns center around expanded language that pose an increased risk to performing many vulnerability research and security testing activities, and even reporting on breaches.

Read more

The Tale of the Privacy Pink Panther

January 5th, 2015

Last Friday, on my way home from 31c3, a funny thing happened on my way through Charles de Gaulle airport in Paris: I was required by a security agent to not only power up, but also type in my password to unlock my laptop in order to board my flight.

Read more

Jingle Bugs - How to Rock in a Hard Place

December 26th, 2014

With the end of 2014 dashing to a close and 2015 just over the hill, let's take a moment to look at the ghosts of bugs and breaches past. Vulnerability coordination, disclosure, and incident response have never been more important to get right. What could happen if we make adjustments in the way we approach security and how could that impact the bugs that will inevitably be delivered to both the naughty and nice in the future?

Read more

Introducing Reputation

October 28th, 2014 new-features

One of the primary challenges when running a vulnerability coordination program is distinguishing the signal from the noise. Today, we're introducing a new reputation system to make running a program even easier.

Read more

New Security Inbox & Dashboard

August 28th, 2014 new-features

At HackerOne, we're on a mission to empower the world to build a safer internet. Better security begins with a quality vulnerability coordination process, and our free platform enables your team to seamlessly manage the entire workflow. Think of it as a replacement for your old shared security inbox.

Read more

Better, Stronger, Safer

May 28th, 2014

For the past year, we've been busy pursuing our passions and building HackerOne. We're excited to share a little more what we've been up to, what's next, and how we hope you can be a part of our mission.

Read more