Changelog

Monthly Payouts

Hackers can now choose to receive their payouts monthly instead of daily, so that they can receive all their payments from the month in 1 batch payment.

Revamped Invitation Preferences

We've revamped the Invitation Preferences page with more options to specify and control your invitation settings.

Hacker Following

In order to keep up-to-date with your favorite hackers, we introduce the new Hacker Following feature. This enables you to keep track of your favorite hackers and to quickly see their activity on HackerOne.

You can filter the activity of the hackers you're following with our new Hackers I am following filter on the Hacktivity page.

We also introduce the Followed Hackers page on the Hacker Dashboard to help you manage the hackers you're following.

Dark Mode

You can now customize your HackerOne interface by choosing to view everything in dark mode. You can toggle your view experience by going to your profile drop-down.

Asset Labeling

Programs can now add specific labels pertaining to their assets. These asset labels provide more granular data about each program and the assets associated with it, which will help with matching hackers to specific programs.

Programs can add asset labels to these categories:

• Coding Language
• Framework
• Cloud and Infrastructure
• Database
• Content Management System
• Country
• Spoken Language
• Cryptocurrency

The labels will appear on your program policy page under Scopes.

Response Target Benchmarks

We introduce the new response target benchmarks dashboard that enables programs to compare their response times to those of other programs. This will help programs see what areas they need to focus on to improve their program.

Updates to CVE IDs

We've made these improvements to CVE IDs to help users get their CVE IDs faster and to simplify the publication process:

• Immediate CVE ID assignments: Users will no longer have to wait in getting their CVE IDs as HackerOne will now immediately and automatically assign a CVE ID to a request created through HackerOne.
• "Auto-Submission": We now offer the new Auto-submission option in the CVE request process that'll enable CVE requests to be submitted automatically for approval and publication when the attached HackerOne report is publicly disclosed.
• Publication Reminder Emails: HackerOne will now send users weekly reminder emails of their CVE IDs that have yet to publish an advisory.

Hacker Full Name and Addresses in Custom Agreements

Programs can now request hackers to provide their full name and address when accepting the Digital Custom Agreement.

Digital Custom Agreements

Hackers can now view their signed custom agreements on the new Digital Custom Agreements page within their profile settings.

Set up a Jira Integration without Jira Admin Permissions

To simplify the set up process, programs can now set up their Jira Integration without needing Jira Administrator permissions.

Control Visibility of Bounty Earnings

Hackers can now control whether they want their earnings to be visible on Hacktivity and their profile. Go to your profile's Settings > Account Preferences to manage your bounty visibility.

Linking Phabricator Tickets

Programs using the Phabricator integration can now link their Phabricator tickets to their reports on HackerOne.

Suggested Redaction in Report Comments

To better protect your sensitive information, we now provide a suggested redaction notification when your report comments contain sensitive information such as cookies, credentials, and authentication tokens.

Ability to Remove Jira References

Jira users can now remove a Jira reference on a report in case they linked the wrong Jira ticket or they need to escalate the report to Jira again.

Inbox Program Search

If you're managing or are a part of many programs, you can now search the inbox by program name with our new search field. The search field is visible for everyone who is a part of 5 or more programs.

New Program Filter: Bookmarked

We added the new Bookmarked program filter to the My Programs tab so that hackers can view their bookmarked programs on the same page.

Experience by Vulnerability Type

We added an Experience by vulnerability type section to the Overview page of the Hacker Dashboard so that hackers can see the analytics of which vulnerability types they're most successful in finding.

Modified Hacker Dashboard Layout

We modified the layout of the profile section of the Hacker Dashboard and also expanded it with metrics on resolved reports that enables hackers to understand the percentage of their report submissions that are resolved.

Hacker Profile Redesign

We've redesigned the hacker profile page to simplify the UI. In doing so, we've deprecated the Thanks tab and put the Thanks section at the bottom of the profile page.

New Settings on Notification Preferences

We've revamped the Notification Preferences page and added new settings so that all users can better customize their report notifications to reduce noise from unwanted notifications.

Program Page Bookmark and Subscribe Buttons

We've deprecated the Follow button on the Program Page and replaced it with a Bookmark button. We also moved the Subscribe button from the bottom of the Program Page and moved it to the top next to the new Bookmark button so that hackers can easily subscribe to program updates and add programs to their bookmarked program list on their dashboard.

API Enhancements

We've released the following improvements to our API:

• Filtering reports by weaknesses
• Filtering reports by severities
• Fetching program payment transactions
• Getting a program's balance
• Fetching a program's thanks items
• Updating report structured scope
• Filtering reports by keywords
• Fetching awarded program swag
• Fetching bounty suggestions
• Fetching program policy and attachments
• Requesting and cancelling report disclosure
• Redacting reports
• Groups attribute to member object
• Uploading attachments to the policy page

API Enhancements

We've released these new endpoints to our API:

• Ability to mark a report as ineligible for a bounty
• Marking swag as sent

API Enhancements

We've released these new endpoints to our API:

• Ability to create a report
• Ability to change the weakness on a report
• Ability to fetch all weaknesses for a program
• Ability to update policy of a program

Program Hover State Profile

You can now better preview programs when hovering over program names with our revamped hover state profile popup. You can quickly view important information regarding the program when hovering over the program name on these pages:

• Hacktivity
• Directory
• My Programs
• Pending Invitations
• Bookmarked Programs
• Hacker Dashboard

Newly Designed Program Profile Page

We've redesigned the program profile pages to give them a sleeker look.

Link Burp Suite with the HackerOne Scope

It can take a long time to set up Target Scope in Burp Suite, especially for programs with long or complicated scopes. Now you can download a Burp Suite project file to link HackerOne scope to the Burp Suite Target Scope.

Bounty Eligibility Indicator on Structured Scopes

We've updated the structured scopes table on the program policy page with a new bounty eligible and ineligible icon to clearly show which assets are eligible and ineligible for bounties.

Internal Attachments

You can convert attachments to be internal for all redactable reports in the Convert attachments to internal-only section when redacting a report.

Program Notifications

After the beta launch in March, all hackers can now subscribe to receive notifications from program updates.

Notification Preferences

You can also now set your notification preferences under the new Notification Preferences page in your user settings.

Mentions Filter

Easily find all reports you've been mentioned in to keep track of which reports need a response from you with our new mentions filter.

Custom Fields

After the beta launch in March, custom fields is now available to all Enterprise programs.

Mark a report as ineligible for bounty when awarding swag

We introduce the new Also mark as ineligible for bounty checkbox so that programs can now mark a report as being ineligible for bounty when awarding swag.

Programs are also able to now award swag to reports that are marked as ineligible for bounty.

Notifications Bell Icon

Say goodbye to the old notifications indicator next to your profile icon. We introduce a new bell icon to notify you of any new notifications. If you have more than 25 unread notifications, we've truncated the notifications number to be capped at 25+.

Saving the Inbox Sort Order

Say goodbye to having to always re-select how you want your inbox sorted. Your selected sort order will now automatically save when creating your custom inbox view.

Submission Date Filters

You can now filter through your inbox reports by submission date in order to quickly find reports submitted after or within a certain time.

Group Members Filter

The new Group Members filter enables you to search for reports by individual members within a group. Previously, you couldn’t see which members were assigned to which reports within the group. This enables you to better keep track of reports and the individuals assigned to them.

Goodbye to the Insights Tab

We’ve deprecated the Insights tab from program pages.

Program Dashboard

We’ve revamped the Program Dashboard with new metric tables and charts that give better insight into reporting and analytics for programs.

Enhancements to the Jira Integration

We've added these improvements to the bi-directional Jira integration:

Additional Fields

The HackerOne to Jira escalation template now includes all additional fields that are either a type of string, number, or date. This enables Jira users to have all fields in Jira be mapped to a value from the HackerOne report. All available Jira fields will automatically be pulled from the selected issue type.

Sync Attachments

Jira users can now sync attachments from their HackerOne report to Jira by selecting Synchronize attachments in the Select HackerOne to Jira events section when configuring their Jira integration.

Automated Report Closure

Jira users can now select which Jira closed issue status should result in the closure of the HackerOne report.

Severity to Priority Mapping

With severity to priority mapping, Jira users can map HackerOne severity ratings to the priority fields they have in Jira. This enables the right priority to be set when escalating a report to Jira.

Updates to the Hacker Dashboard

We've revamped the My Stats section of the Hacker Dashboard with expanded graphs where you can view your bounties, reports, and reputation over time. We've also included a new My top earning programs section to help hackers see which programs they're earning the most bounties from.

Notifications Checkbox

Programs can now select to notify their subscribers of changes in their Policy and Scope settings pages with our new Notify subscribers of changes checkbox. The checkbox can be found for changes to these pages:

• Policy
• Scope
• Bounties

Bounty Table Versions

You can now view previous changes made on bounty tables for all programs to see what's been changed over time with our bounty table versions page. Click on View changes on the Rewards section of the program policy page to access the versions page.

Custom Fields (beta)

We introduce custom fields to enable programs to add custom information to their reports to help them better manage and analyze their internal data by the categories that they define to be important. This feature is only available for Enterprise programs.

Custom Fields on the API

We've also added custom fields to the API to enable programs to search and filter reports by custom field values.

Program Notifications (beta)

Select hackers now receive program notifications to all program updates via the product and email for changes to the:

• Policy
• Bounty table
• Scope
• Hacker messages

We've also implemented a new Subscribe button on the policy page to enable hackers to easily subscribe to program notifications. Note: The button is currently viewable for select hackers.

Deprecation of Custom Recipients for Messaging Hackers

We've deprecated the Custom recipient field on the Message Hackers page as the feature wasn't found to be very valuable for programs.

Retesting Bundles

Programs can now opt-in to purchase a bundle of retests with their HackerOne subscription. With bundles, programs are no longer charged the processing fee for each bounty, and can also opt-in to purchase more retests when they run out.

My Programs

We’ve renamed the Accepted Invitations page on the Hacker Dashboard to now be called My Programs. We’ve also revamped the page so that hackers can better manage all of the programs they’re a part of by including:

• More filtering options
• Sorting
• A search bar
• A My stats section for each program where hackers can see their personal statistics for the program

Overview

We've renamed the Getting Started page to now be called Overview. We provide new hackers that haven't submitted any vulnerabilities with a getting started checklist with 4 tasks to complete to guide them to be more successful on the platform.

Hacker Statistics

After hackers have submitted their first vulnerability, they'll be able to view statistics for these personal metrics on their Overview page:

• Number of valid reports
• Bounties earned

Getting Started

We introduce the new Getting Started page on the Hacker Dashboard. This will guide hackers and direct them to the right pages to help them get the information they need to successfully start out on HackerOne

Export All Reports

Want all of your report data for safe keeping or just for analytical purposes? Programs can now export all of their reports through our new Export Reports feature.

Link HackerOne Reports to Existing Jira Tasks

Jira users can now link their HackerOne reports to their existing Jira tasks.

Selecting From Multiple Jira Projects

Jira users can also now select from multiple projects they want their Jira task to link to.

Indian Rupee Payments

Hackers in India will no longer lose a portion of their bounty to transfer fees as we now support payments to Indian Rupees.

Improved Sign Up Page

When new users sign up to use HackerOne, they can can now more clearly distinguish whether they are a hacker or a company wanting to set up an account.

Account Preferences

You can now clearly define whether you're a hacker or someone running a program within the new Account Preferences tab under your profile settings. This will help tailor your HackerOne experience to better fit your needs.

Infinite Scrolling

We've now implemented infinite scrolling on multiple pages so that you no longer have to click on the Load more button to view more information. The information now automatically populates.

Global Launches

We've globally launched these 2 previously beta features:

• Credential Management
• Disclosure for Private Programs

These features are now open for qualifying programs to opt-in to.

Revamped Directory

We've totally revamped our directory page so that you can better search and view programs. You can now filter your search results by program features and by asset type, and we also enable you to view various stats for each program on one page.

Program Bookmarking

You can now bookmark your favorite programs on the directory by starring them.

Hacker Dashboard

Our new Hacker Dashboard enables hackers to better manage and review their:

• Accepted Invitations
• Pending Invitations
• Bookmarked Programs

Hacktivity Search

We now enable you to search within Hacktivity. You can search for reports regarding programs and weaknesses you're interested to read about in the search bar to better learn how specific weaknesses were exploited in various programs.

Disclosure

We've deprecated the term "Public Disclosure" and now simply just call it Disclosure.

Disclosure for Private Programs (beta)

Private programs can now opt-in to enable hackers to disclose reports to other hackers within their program. Upon disclosure, contents of the report will only be visible to participants within that private program. This enables hackers to share their vulnerability findings with other hackers in the program, and can also increase awareness for other hackers as they can better see what vulnerabilities have already been found for the program.

Cancel Disclosure Request

We now enable you to cancel disclosure requests. You can cancel your own requests, and hackers and programs can cancel the requests they receive from one another if they choose not to disclose a report.

Hacker101 CTF Integration

Hacker101 CTF is now linked to your HackerOne account. Every time you earn 26 points in the CTF, you’ll be put in the priority queue to receive invitations to private programs. We also enable you to create your own groups to manage hackers working through the CTF.

Activities API Endpoint

We added a new activities API endpoint that enables you to fetch all activities of your program incrementally by time. Learn more about the activities endpoint.

HackerOne VPN

Hackers can now configure the HackerOne VPN and access their VPN credentials for VPN enabled programs.

Retesting

We've globally launched our retesting feature so that all programs can now initiate retests on any of their resolved reports. Invitations for retests now expire after 24 hours, and hackers are now required to provide a short summary of how they retested the vulnerability. Hackers can also provide attachments of their findings.

Retesting (beta)

Programs can now elect to invite hackers to retest their vulnerabilities to verify fixes. Each hacker that participates in the retest will receive a $100 bounty upon completion. Learn more about retesting.

Submission Requirements: Two-Factor Authentication

Programs can now require hackers to have two-factor authentication enabled in order to submit new reports to their program.

We've also renamed the Signal Requirements page under Settings > Program > Hacker Management to now be called Submission.

Embedded Submission Form

Programs can now embed the HackerOne report submission form onto their own website. This enables hackers to submit reports without having to create an account on HackerOne. Learn more here.

Sessions

Anyone can now review and manage their active HackerOne sessions on all of the devices they're signed in to on the new Sessions page.

Credential Management (beta)

We've enabled the beta Credential Management feature so that select programs can share credentials with hackers through the HackerOne UI. This enables hackers to quickly retrieve the credentials needed to find vulnerabilities.

Bug Fixes

• Your active HackerOne sessions will no longer end prematurely. Sorry for that annoyance!
• We've also fixed the "Remember me" bug. Your login credentials will actually be remembered for 2 week periods so that you don't have to repeatedly log in in order to access your account.

Publishing External Vulnerabilities

We now enable hackers to publish their findings from external sources that don't have HackerOne programs. Click here to learn more.

Two-Factor Authentication

Hackers now have the ability to set up two-factor authentication to add an extra layer of protection to their accounts.

Inbox Filters

Programs can now filter reports with these new inbox filters:

• No weakness
• No asset
• With references
• Without references

Insights (beta)

We introduce the insights page to provide hackers with helpful statistics about programs they're contemplating to hack on. The information is provided to help hackers focus their efforts on the right assets for the right programs. Categories of insights include:

• Bounties
• Reports
• Hacker Participation
• Top 10 vulnerabilities
• Scope Severities

Hacker Email Alias

All hackers now have an email alias that forwards emails to the email address they’ve registered with on HackerOne. This provides an easy way for programs to contact you in order to share credentials and information without having to access your actual email address.

Sort Notifications

You can now sort notifications from oldest to newest and vice versa.

Hacktivity Redesign

We've revamped the look of our Hacktivity feed so that it has a sleeker design. We've also deprecated the Top tab on Hacktivity.

Bug Fixes

• Hackers that have submitted a report and left the program can now revisit the report without seeing any errors.
• The reworded the notification for invites to private programs so that it's clear that it's an invitation.

Reputation on Triage

No need to wait for reports to be resolved in order to increase reputation! We now enable hackers to gain reputation whenever their reports are marked as Triaged.

Bounty Tables

Instead of having programs manually create their own bounty table on the policy page using tedious markdown, we now enable them to easily generate their own bounty table with our new bounty table tool.

Hacker Feedback Dashboard

We introduce the new Hacker Feedback Dashboard where private programs can see the total feedback their program has received from hackers along with the reasons they’ve declined to participate in their program. The feedback can be viewed at Dashboard > Feedback. Learn more about the feedback dashboard.

Triggers

We've revamped our triggers functionality so that you can:

• Preview matches for a new trigger
• Add And/Or conditionals to make the trigger more flexible
• Edit or build off of default triggers

We've also updated the design so that you'll have a better user experience.

Response Targets

We’ve deprecated the threatening term, Response SLA and replaced it with the more friendly terms, Response Targets and Response Standards. Learn more about these new terms.

We’ve deprecated the SLA Violations inbox view and changed the name to Missed targets. The inbox filters are also now Missed response targets and Missed response standards instead of SLA violation reports and SLA Fail reports.

We introduce 4 new inbox labels for reports that don’t meet response standards or targets. The labels are: Response, Triage, Bounty, and Resolve. These labels replace the previous SLA Fail and SLA Miss labels.

The fields on the Reponse Target performance section of the Program Health dashboard have changed to On target, Missed target, and Missed standard. The missed target line is also taken off of the Average Time to Resolution graph on the dashboard.

Response Efficiency Indicators

We’ve modified response efficiency indicators so that:

• They now let you know the program’s percentage of reports that meet response standards instead of the number of reports that are failing or missing SLAs.
• The indicator and metrics are visible even when a member of the program is signed out.
• The orange response efficiency indicator is now changed to yellow.
• The indicator now occurs at the bottom of the metrics chart instead of at the top.

Time to Resolution by Severity

We now enable you to set your Time to Resolution response standards by severity. Learn more here.

Invitations Toggle

Programs no longer have the ability to toggle invitations on or off with the On/Off button. The equivalent action to turn invitations off is to set the report volume to 0 if they no longer wish to engage with new hackers. To turn invitations on, just increase the report volume to be greater than 0.

Policy and Scope

Policy and Scope now have their own separate sections under Settings > Program.

Bug Fixes

• The Managed label no longer shows up on the directory for programs with expired triage subscriptions.
• The response standard percentage now displays when the display option setting is enabled. There were some incidences where it didn’t show in the past.
• When a large user profile photo is uploaded, an error message is now given to the user to notify them that the upload has failed.
• Social sharing icons on public programs are now aligned and work properly without any weird spacing issues between the icons.
• Hackers no longer receive automatic invitations for programs they’ve left.

The 90 Day Leaderboard

The new rolling 90 day leaderboard ranks hackers based on their score from this calculation: Reputation x Signal Percentile x Impact Percentile.

Needs More Info

When a program member adds a comment to an open report with a question mark, Hackbot will prompt them asking if they want to change the state of the report to Needs more info.

Response Efficiency Timers

Response efficiency timers no longer trigger for reports submitted by internal members of the program.

Auto-Invites for Controlled Programs

Programs in controlled launch mode are no longer able to toggle auto-invites as on or off. To change their settings for invitations, they can contact HackerOne support.

Bug Fixes

• URLs in the report title are now wrapped so that they aren’t crossing out of the inbox.
• The Program Health Dashboard now displays 0 instead of N/A when there are no missed or failed reports.
• When a hacker leaves a program that they got invited to through the email forwarding feature, they won’t be placed in the priority queue for leaving that program. This prevents hackers from harvesting a ton of private invitations.
• Hackers now don’t receive invitations to programs they’ve left.
• When hackers received an invitation to claim a report, they couldn’t see or accept the terms of the program. Now they can actually claim the report and see the terms of the program.

Invitations

We’ve improved the way programs can manage their invitations to hackers. You can now set a report volume target where we’ll monitor and manage your hacker invitations to help you meet your report goal.

The Invite Hackers tab under Settings > Program > Hacker Management has been renamed to Invitations.

The Invitations page includes the new Report Volume field where you can enter the number of reports you'd like to receive in 30 days.

Read more about Invitations.

Needs More Info

Reports in the Needs More Info state that haven’t been responded to within 30 days automatically get closed with no negative impact to the hacker’s reputation.

Self-Controlled Launch

Response Programs in Controlled Launch that meet all of the success criteria are now prompted to publicly launch their own program through following the Setup Guide or through email notification.

Response SLA Settings

Response SLA settings are now applied to all reports and not just reports created after modification to SLA settings.

Response SLA settings are also now incorporated into Controlled Launch for Response programs. Programs must’ve received at least 10 reports and invited 100 hackers while maintaining healthy responsive times before launching publicly.

Program Health Dashboard

The new Program Health Dashboard helps programs track their Response Efficiency Metrics and Response SLA performance. Go to Dashboard > Program Health to view your metrics.

Response Efficiency Indicator

Programs can now see their response efficiency indicator in their program dropdown. This enables them to see their response efficiency status without having to visit their security page.

Bug Fixes

• Invite notifications don’t show up again for expired, declined, and duplicate invites.
• The questions on the Invitation Rejection Questionnaire and the Leave Program Questionnaire no longer show duplicates.
• The Time to Bounty timer now pauses when a report is closed as either N/A, Duplicate, Informative, or Spam.
• The red response efficiency indicator tooltip now correctly states that the program has failed SLAs instead of missed SLAs.

In-Product Notifications for Invites

The notifications corner now pings hackers about new invitations.

Invitations on the Program’s Profile

Hackers can also see their invitations on the program's profile page. This reminds hackers of their invitation when they go to look at the program.

Pending Invitations Page

The new Pending Invitations page enables hackers to view all of their pending invites in one place so that they can see all the invitations they need to take action on.

Rejection Questionnaire

When Hackers reject an invite, they are given the opportunity to fill out a questionnaire to provide HackerOne with feedback on why they decided to reject the program invitation. The questionnaire shows up directly after hackers reject the invitation.

Leave Program Button

The Leave Program button is updated to be on the sidebar of the program’s security page. Hackers that leave the program also also get an invitation to fill out the rejection questionnaire.

Priority Queue

Hackers that submit the rejection questionnaire are placed at the top of the queue for the next program invitation they qualify for.

Private Invite Notification

The notification to private invites is updated so that it doesn't look like a program member invite.

Response Efficiency Box

The Response Efficiency box is updated on the program security page to show that metrics are averages of the last 90 days.

Response Efficiency Indicator

There is now a response indicator in the Response Efficiency box of the program's security page to show how healthy a program is. The indicators are either green, orange, or red dots.

Bug Fixes

• Hackers are no longer redirected to a deleted program after every login.
• Programs can mark reports as being ineligible for bounty even though a hacker account is disabled.
• The program health alerts are fixed so that you're not getting alerted when you have 0 reports failing SLAs.
• Old resolved reports are no longer marked as SLA Fail or SLA Miss.

Human Augmented Signal

We enable programs to utilize the expertise of HackerOne Security Analysts to review those pesky invalid reports so that programs don’t have to deal with them. Learn more about Human Augmented Signal.

Response SLAs

You can now set your response service level agreements (SLAs) for time to first response, time to triage, time to bounty, and time to resolution. What do all these terms mean? Find out here.

Response Efficiency Indicator

We now display a colored indicator on a program's security page to show hackers how responsive a program is to report submissions.

SLA Inbox Labels

If you forget which reports aren't meeting your response SLAs, we now have SLA Miss and SLA Fail labels as well as a new SLA Violations view in your inbox to show which reports need action.

Pausing Report Submissions

Want to take a break or need time to catch up on existing reports? Programs can now pause from accepting new report submissions.

Inline Image and Attachments on the Security Page

We now enable you to attach pictures and other files to your policy. Simply go to your program's Settings > Policy and there will be a field where you can upload your files. We've got a nice giph on ours. Check it out.

Controlled Launch for Response Programs

We've revamped the on-boarding experience for new response programs by guiding them through a step by step setup process that prepares them for public launch.

Report Submission Template

What...do...I...write? We've updated the blank report submission form with a template of what a good report write-up should entail. This'll guide hackers on how to write up a good report.

Directory Icons and Program Badges

The Directory page now includes pink and purple lightning icons to highlight programs that are:

• Fast to respond with a first response in <48 hours on average
• Fast to award by giving a bounty <14 days after submission

We also include a Managed badge to identify programs that are managed by HackerOne.

Paying out Bounties via the API

Organizations now have the ability to payout and suggest bounties and swag using their internal systems via the API. You can view the API documentation for this here.

Slack Integration 2.0

We've revamped our Slack integration so that programs can have:

• Granular notification filtering
• Support for multiple channels
• Notifications when a username is mentioned

Read our blog post and learn how to set up Slack integration.

Bounty Splitting

We now enable programs to have this feature that enables hackers to split bounties with other hackers that helped them find the vulnerability.

Bank Transfers via CurrencyCloud

Hackers can now receive payments through Bank Transfers via CurrencyCloud. This enables them to get paid out in 30 different currencies to almost any country in the world.

Scope

Programs can now define their scope and the list of assets they want hackers to test. This controls what reports can be submitted and helps to prevent noise. Don’t know what a scope is? Learn more here.

Hacker Reviews

Programs now have the ability to review their hackers and to comment on their behavior. Learn more about hacker reviews.

Bi-Directional Phabricator Integration

We now provide programs with a two-way integration that syncs changes between HackerOne and Phabricator.

Hackathon Inbox Filter

During hackathon events, programs can now filter reports in their inbox specific to the hackathon so that these reports can be focused on.

Onboarding Changes

We’ve updated the words programs encounter when they onboard onto our platform to reflect our new product changes.

Admin Notification Control

Program administrators now have the ability to enforce notification settings for all members of their program. This ensures that members only receive notifications for the reports they’re subscribed to, instead of being spammed for things that don't apply to them.

Automated Daily Coinbase Payouts

We’ve automated our daily Coinbase payouts so that we don’t have to manually do the work and all hackers receiving payments through Coinbase will be paid at a consistent time every day at 11pm UTC.

Bi-Directional Jira Integration

We now provide a bi-directional Jira Integration where Jira users can sync specific workflows from Jira to HackerOne and vice versa, from HackerOne to Jira.

Move Report Between Programs

Organizations running multiple programs are now able to transfer reports between programs to make sure the vulnerability is associated with the correct program.

Filter Reports by Weakness

You can now filter your reports by specific weaknesses in your inbox.

Beta Hacker VPN

We've implemented a hacker VPN that:

• Controls traffic to in scope program assets
• Enforces granular access controls with a 1:1 mapping between an individual hacker and a static IP
• Pauses individual hacker access without interruption to the overall program
• Integrates with a program's monitoring tools to have full visibility into program activity

Contact HackerOne to participate in this beta.

Personalized Invitation Messages

Hacker invitations can now be personalized with a personal message to the hacker(s) receiving the invitation.

CWE Weakness for Vulnerability Types

We've updated our vulnerability taxonomy to include a more complete weakness suite based on the industry-standard Common Weakness Enumeration (CWE). This provide a much more complete and accurate description of a reported vulnerability, and more importantly, it adopts a common language that is endorsed by the security community.

Disclosure Assitance with Vulnerability Report

HackerOne will now triage and validate disclosure assistance vulnerability reports by severity in order to expedite the disclosure assistance process.

"Needs First Response" Inbox Filter

We’ve added a ‘Needs first response’ filter to the inbox so that all reports that are still waiting on a public response to the hacker. This helps programs to optimize their time to first response.

Award Bounty for External Reports

All program users of the HackerOne API are now enabled to choose to award a bounty for a report that was submitted externally to their HackerOne Security Inbox.

Custom Integrations for Non-Financial Bounties

We now provide native support for custom integrations with non-financial reward programs such as paying bounties in airline miles. The first user of these new rewards is Lufthansa, which awards bounties in the form of their “Miles and More” program. Please contact your Account Manager for additional information.

Report Trigger Matches

We now surface report trigger matches in internal comments to help programs triage a report faster.

Security@ Email Forwarding

We enable vulnerability emails sent to programs’ security@ emails to automatically be forwarded as a report in your HackerOne inbox.

Custom Inbox Views

We now enable users to create and save their own custom View in their inbox.

Trigger for Low Bounty Balance

We now enable programs to set up a trigger for when their balance falls below a certain amount.

Inline Video Attachments

We now enable hackers to attach videos to their vulnerability reports.

Clarify Public Launch Expectations

We now set clearer expectations for self-managed programs that decide to publicly launch their program without having met the launch criteria. We supply warning messages showing that the program hasn’t met the recommended criteria and also require them to select the checkbox acknowledging that they haven’t met the criteria but still want to launch publicly.

Bounty Statistics

When programs award a bounty, we now automatically show them the median, competitive, and top level bounty across the platform for the severity of the vulnerability they are awarding a bounty for. This helps programs to gauge their reward competitiveness and to be as consistent as possible in awarding bounties.

Filter by Severity

We now enable programs to filter reports in their inbox by severity.

Redact Sensitive Information from Reports

Programs can now redact sensitive information from reports in a self-service manner.

Program Updates

We’ve created a new Program Updates tab on the program security page. Programs can publish and persist updates to their hackers like a mini blog on this tab.

Monthly Digest Report

We’ve implemented monthly digest report emails so that if a user is a member of an active HackerOne program, they’ll be able to see how their program is performing and gain insight into any changes to their program. They’ll receive this email every first business day of the month.

Hacker Skills

The new Hacker Skills feature enables hackers to identify their skill set which enables them to qualify for invitations specific to their skill sets. Each skill a hacker puts will be verified by HackerOne.

Configure SLAs for Triage and Resolution

We enable programs to set internal Service Level Agreements (SLAs) by configuring the amount of time that can elapse before a report is marked for their program.

Change Report State via API

We enable you to change the state of a report through utilizing our API.

Export as .zip

We provide a new export option where you can download the contents of the report and all attachments in a single zip archive.

Hackbot Improvements

We’ve improved HackBot to suggest single-click actions, such as:

• Creating a common response
• Integrating with an issue tracker
• Creating a trigger

CVSS for Severity

We introduce the ability for both hackers and security teams to set severity via CVSS. Read our blog post or docs article to learn more.

No Attachment Warning

We now display a warning message if your report references an attachment but no attachments are found.

Hacker Profile: Thanks Page Improvements

We’ve totally revamped our Thanks page on the hacker profile so that all the programs hackers have made contributions to, are now listed in the order of most reputation earned. We also display for each program:

• The number of valid and closed reports the hacker has
• The reputation earned
• The rank of the hacker

Lock Reports

You can now lock reports to prevent new comments on publicly disclosed reports.

Assign Report Through API

Programs can now assign reports to team members using the API. See the API documentation for how to assign a report here.

Notifications Page

We’ve created a notifications page so that you can have a clear overview of your notifications. Go to https://hackerone.com/notifications to see your notifications.

Filter Inbox by Program

Hackers can now filter reports in their inbox by program using the Reported to field so that they don't have to filter through reports with their own eyes.

Report Submission Template

Programs now have the ability to further customize their report submission form by choosing and customizing a report template that pre-populates the Issue information field. Learn more about report templates.

Billing Page Improvements

We’ve updated the Billing page so that programs can now:

• Filter by date ranges
• View partial invoices of the current month
• View balance and credit amounts

Edit Vulnerability Type

Programs can now edit the vulnerability type of a report after the report has been submitted. This is to correctly associate a report with the right vulnerability type if a hacker selected the wrong one.

Policy Versioning

Hackers can now see when the policy was last changed and view all policy changes on a program’s Security Page.

No More Negative Reputation for “Needs More Info”

We’ve adjusted our reputation system so that reports marked as “Needs More Information” doesn’t result in a -1 reputation hit.

Hacktivity on Hacker Profiles

We now display all reports hackers have on hacktivity onto their profile page.

Hacktivity Upvoting

Users can now upvote reports that they’re interested in in order to create a “Popular” sorting on Hacktivity where reports with the most upvotes are featured on top.

Hacker Leaderboard

We’ve deprecated the Thanks page at https://hackerone.com/thanks and turned it into a hacker leaderboard that’s segmented into more granular time periods and sortable by Signal, Impact, and Reputation. See who’s on top here.

Badges

Hackers can now receive badges when they meet certain criteria or achieve certain events to showcase on their profile.

API Documentation

We introduce the first version of the HackerOne API to empower programs to build custom metrics and dashboards. Learn more about our API Documentation.

UI Improvements to Default Automatic Invitations

We’ve cleaned up the UI to Invite Hackers so that it’s clear that there’s a single call-to-action to privately launch a program by turning automatic invitations on.

Security Page Metrics

Programs now have the ability to publicly share Time Metrics and Reward Metrics. These metrics include:

• Mean Time to Response
• Mean Time to Resolution
• Mean Time to Bounty
• Mean Bounty Amount
• Median Bounty Amount
• Total Bounties Paid

Credit Card Payments - Stripe Integration

We now enable programs to make payments using their credit card through our Stripe Integration.

Automatic Invitations for Private Programs

We now enable private programs to configure a minimum threshold for their report volume under which new hackers will be automatically invited.

Hacktivity Redesign

We’ve redesigned Hacktivity so that we surface educational reports from interesting hackers.

Hacker Header on Reports

All reports now include a header with summarized stats on the hacker who submitted the report. The new header fields include:

• The hacker name
• Reputation
• Rank
• Signal
• Signal Percentile
• Impact
• Impact Percentile

Mutual Disclosure of All Reports

All reports, including those marked as Not Applicable, Duplicate, and Spam can now be publicly disclosed when both the hacker and the program agree to disclose the report.

Request Mediation for Hackers

Hackers can now request mediation when they get into a disagreement with a program’s security team.

Filter Directory by Programs Offering Bounties

Users can now filter the directory by programs offering bounties. Type bounties:yes into the search bar to only view the bounty programs in the directory.

Threading for Notification Emails

We now support message threading for notification emails so that similar emails are grouped together.

Award Bonus

We introduce the ability for programs to award a structured bonus in addition to the standard bounty for a vulnerability. Read about it in our blog.

Improved Rate Limiter & Signal Requirements

We give programs the ability to tune the Rate Limiter by specifying minimum Signal Requirements for hacker participation. We’ve also updated the Rate Limiter to incorporate additional intelligent inputs.

Hacker Invitations by Priority

We’ve overhauled the hacker invitation process so that hackers with the highest Reputation, Signal, and Impact will have a greater likelihood of being invited to private programs. Read our blog post to learn more about how invitations work.

Inline Image Attachments

We enable programs and hackers to now add inline image attachments to reports and comments.

Hacker Invitation Preferences

Hackers now have the ability to manage their invitation preferences for private programs. They can opt-out of receiving invitations entirely or choose to only receive invites to programs that offer bounties.

Custom Vulnerability Types

Programs can now customize their report submission forms with their own introduction text and the ability to hide and disable vulnerability types.

Hacker Thanks Page

Hacker profiles now include a Thanks page that lists all programs the hacker has submitted vulnerability reports to. For example, check out: https://hackerone.com/atom/thanks

Signal & Impact

We introduce Signal and Impact so that there can be a more granular understanding of hacker performance. Read our blog post or check out our doc to learn more.

New Default Views

We add these new default views to the inbox to better organize reports:

• Triaged
• Assigned to me
• Pending disclosure
• Pending bounty

Protective Disclosure

If the response team has evidence of active exploitation or imminent public harm, they can immediately provide remediation details to the public so that programs can take protective action.

Preview Image Attachments

Programs and hackers can now preview image attachments on the report form.

HackerOne Success Index

We introduce the HackerOne Success Index - a method to measure the effectiveness of HackerOne-powered vulnerability disclosure programs. The index calculates 6 dimensions by which programs can benchmark their success each month. Learn more here.

Disclosure Assistance

We provide hackers with the ability to request help in contacting an organization with a vulnerability through Disclosure Assistance. This enables HackerOne to take steps to identify the organization’s official vulnerability reporting process. Read more in our blog.

Trigger: Show Interstitial

We’ve updated our triggers functionality so that an interstitial shows prior to report submission. This helps hackers to avoid the submission of a number of out-of-scope or commonly reported false positives.

Automated Scanner Detection

We’ve updated our report classification engine to detect common outputs from automated vulnerability scanners that are frequently flagged as invalid. This enables the quality of report submissions to improve as hackers can check the report before submission.

Single Sign-On: SAML

We’ve improved our Single-Sign-On (SSO) options with support for SAML. Response teams using an SSO provider to authenticate can use those services for centralized authorization and identity management.

Suggest a Bounty

There’s now a reward suggestion functionality where program members can suggest bounty amounts. This enables programs to more easily arrive at a consensus regarding award amounts.

Report Abuse

If any disagreements or discussions arise regarding a report, hackers and programs can now request mediation and our experts will provide guidance on the situation.

Group Assignments

The group assignments feature enables programs to assign reports to a team rather than just to an individual so that multiple people within a team have the ability to pick up the report.

Improved Report Meta Data

We’ve updated the styling between the report meta data and the summary/timeline so that the report meta data is now collapsible.

Integrations

We’ve added integrations with:

• Slack
• Redmine
• Freshdesk

Read more about how these integrations work here.

Vulnerability Coordination Maturity Model

We introduce the Vulnerability Coordination Maturity Model which helps programs increase their dependence on internet-connected software. Learn more about this model in our blog post.

Integrations

We’ve added integrations for ServiceNow and Assembla.

Tax Forms

We’ve integrated tax forms into our product so that hackers can quickly sign them to get paid.

Permissions

HackerOne program administrators can set access rights for different team members who might play different roles on your team. Learn more here.

Message Hackers

With our new Message Researchers feature, programs can now send messages directly to hackers to update them on scope changes, bounty awards, or to just connect with them.

Disclosure: Limited Timeline and Summary

When an organization chooses to publicly disclose a vulnerability report, there’s now the option to write a summary along with a partial timeline.

Directory

We introduce the HackerOne Directory - a community-curated resource to identify the best way to contact an organization’s security team.

GitHub Integration

We now enable you to integrate HackerOne with GitHub.

Disclosure Summary

Programs and hackers can now summarize the content of a public disclosure in the summary field.

Dashboard Metrics

We’ve added additional metrics on the program dashboard.

Swag

We now enable programs to award hackers with swag or physical objects.

Hackbot: Duplicate Detection

Hackbot is now able to detect duplicate and related reports to help programs associate and close reports more quickly.

Self-Close Reports

We now enable hackers to self-close their own reports if they discover that it’s no longer relevant. This won’t impact their reputation.

Closing Spam Reports

We now provide the ability to close out a report due to it being spam or inappropriate.

Merge Duplicates

Programs can now merge duplicate reports and add hackers to the original report.

Trigger: Add Comment

We introduce the new trigger option to post a public comment on the report.

Reputation

We introduce Reputation - a system that gives additional recognition to the best researchers. A hacker’s reputation measures how likely their finding is to be immediately relevant and actionable.

Integrations

We introduce these 2 new integrations with HackerOne:

Trac

Zendesk

Security Inbox

We’ve redesigned the security inbox to enable faster bug processing for programs. The new inbox enables programs to open reports inline so you don’t have to click backward or forward to navigate between reports.

Dashboard

The new dashboard enables insight into your security response posture. This enables programs to be on top of response time, stale issues, pending disclosures and more.

Bulk Actions

We improve our bulk actions functionality so that it’s easier to apply the same action to multiple reports with a single click.

Keyboard Shortcuts

We introduce keyboard shortcuts to make the workflow more efficient with a faster navigation.

Search

Our new inbox filtering search functionality enables programs and hackers to quickly target the bug they're looking for without having to scroll through their inbox.

Integrations

We introduce these new integrations with HackerOne:

MantisBT

Bugzilla

Jira

Phabricator

Trigger: Change State

We introduce the new trigger option to change the report state to Needs more info.

Data Export CSV

We enable programs and hackers to export their reports as .CSV files to enable them to quickly generate a spreadsheet of selected reports with key details.

Security IP Whitelisting

We enable programs to configure IP whitelisting to control which IP ranges their program members must be coming from in order to access HackerOne.

Invite-Only Programs

We introduce private programs to hackers that are only accessible through invitations.

Bitcoin

We now support hackers to receive payouts through Bitcoin.

Data Export JSON

Programs and hackers can now export their reports as JSON files.

Two-Factor Authentication

Program members can now set up two-factor authentication to securely log in to HackerOne.