HackerOne has trust from companies such as Shopify, PayPal, and Uber, which provides a stronger brand perception and competitive market positioning. However, I reduced my rating by one mark because a proper internal triage team should be in place, not as a replacement for internal security controls.
One limitation is that if a finding has been reported on HackerOne and was also reported earlier by another user or outsider, the platform is not able to collate that information together. If it is a repeated finding, we are not able to identify it automatically and must do it manually. When reporting something, the platform should indicate that it was reported in the previous year or on a specific date, which would give us more insight into what action we have taken on that issue. The reporting side is quite fine because we are using another tool for reporting purposes, so I did not find any issues there since we did not do much exploration on that side.
I think HackerOne can be improved by allowing new users to gain access to certain programs that are only open to known, renowned users. Sometimes new users don't receive invites just because they are new, despite potentially being very skilled hackers, so I feel new users should get more chances and opportunities. I am currently satisfied with the rewards, response time, and other aspects of the platform, so I don't have anything else to add about the necessary improvements. I give HackerOne a nine out of ten because if new hackers are given more opportunities, it could be a perfect 10 for me. However, the reason I gave a nine is that I don't have much to complain about; I specifically love the program and don't have many concerns.
Everything has become slower on HackerOne. I have noticed that older researchers receive all the private invites while newer ones receive fewer. The same goes for real-life events, where the same people are invited repeatedly. There are no clear guidelines for being invited to programs and conferences, and the process for receiving invitations appears arbitrary.
The ability to view the conversation between the triagers and the programs will be really good. When an issue gets reported, the understanding conveyed to the program by the triagers is not visible to the reporter. This can cause gaps between what the finder has reported and what is explained to the program. If this communication is visible, it would benefit both parties.
Response time can be improved. The HackerOne Trust team can be slow to respond sometimes. They're not using AI, which could help reduce the number of duplicate reports.
One issue I've experienced is traffic. Many people try to participate when an opportunity with a bounty of around 1,000-15,000 dollars comes up. In this case, the first person to report the vulnerability gets the bounty. If a second person reports the same vulnerability, they are marked as duplicated instead of receiving some recognition. The second person also invested time finding the issue, so I think this can be improved.
HackerOne leads in offensive security with a platform that expertly identifies and remedies security vulnerabilities using AI and a vast researcher community. Trusted by industry giants, it integrates bug bounties, vulnerability disclosure, and code security in software development.The HackerOne Platform offers a comprehensive suite of services, combining advanced AI technology with the skills of a global security researcher community to address complex security challenges. It facilitates an...
HackerOne has trust from companies such as Shopify, PayPal, and Uber, which provides a stronger brand perception and competitive market positioning. However, I reduced my rating by one mark because a proper internal triage team should be in place, not as a replacement for internal security controls.
One limitation is that if a finding has been reported on HackerOne and was also reported earlier by another user or outsider, the platform is not able to collate that information together. If it is a repeated finding, we are not able to identify it automatically and must do it manually. When reporting something, the platform should indicate that it was reported in the previous year or on a specific date, which would give us more insight into what action we have taken on that issue. The reporting side is quite fine because we are using another tool for reporting purposes, so I did not find any issues there since we did not do much exploration on that side.
I think HackerOne can be improved by allowing new users to gain access to certain programs that are only open to known, renowned users. Sometimes new users don't receive invites just because they are new, despite potentially being very skilled hackers, so I feel new users should get more chances and opportunities. I am currently satisfied with the rewards, response time, and other aspects of the platform, so I don't have anything else to add about the necessary improvements. I give HackerOne a nine out of ten because if new hackers are given more opportunities, it could be a perfect 10 for me. However, the reason I gave a nine is that I don't have much to complain about; I specifically love the program and don't have many concerns.
Everything has become slower on HackerOne. I have noticed that older researchers receive all the private invites while newer ones receive fewer. The same goes for real-life events, where the same people are invited repeatedly. There are no clear guidelines for being invited to programs and conferences, and the process for receiving invitations appears arbitrary.
The ability to view the conversation between the triagers and the programs will be really good. When an issue gets reported, the understanding conveyed to the program by the triagers is not visible to the reporter. This can cause gaps between what the finder has reported and what is explained to the program. If this communication is visible, it would benefit both parties.
Response time can be improved. The HackerOne Trust team can be slow to respond sometimes. They're not using AI, which could help reduce the number of duplicate reports.
One issue I've experienced is traffic. Many people try to participate when an opportunity with a bounty of around 1,000-15,000 dollars comes up. In this case, the first person to report the vulnerability gets the bounty. If a second person reports the same vulnerability, they are marked as duplicated instead of receiving some recognition. The second person also invested time finding the issue, so I think this can be improved.