A Thank You to the Hacker Community, From HackerOne


When I joined HackerOne last year, the vitality of the hacker community drew me to this organization. And as Chief Hacking Officer, I see the impact this community makes daily. Together, we’ve identified nearly 300,000 vulnerabilities through our programs — 300,000 fewer ways cybercriminals can harm society. That’s why I’m here to say thank you on behalf of our customers and everyone at HackerOne.

The community will always be the epicenter of HackerOne’s platform and business. We want to remain a place where new hackers can join and nurture the same passion that drives HackerOne’s mission to build a safer internet. 

Our platform has adapted as we’ve grown, working through the complexities of intermediating between global organizations and the hacker community; this can sometimes result in conflicts.  I am the first to admit we are not perfect, and we’re trying our best to listen to the community’s feedback as we grow. We want to address frustrations – from product features to program behavior. 

It’s our responsibility to guide and guardrail our customers to build better program experiences for hackers. After all, when the community is happy, HackerOne customers achieve better security. That’s why we’ve dedicated time this year to ensuring product updates and platform features squash the things that irritate hackers.

First, we’re working to build an overall better hacker experience on our platform, so hackers can earn more and find more compatible opportunities for their skill sets. Most recently, we’ve:

  • Consolidated the hacker dashboard to simplify navigation for hackers on the platform.
  • Built a more dynamic leaderboard for Live Hacking Events to streamline checking overall event and individual performance stats.
  • Improved our report writing suite through drag-and-drop features, draft creation, and management and collaboration tools.
  • Launched an update to our machine-learning (ML) invitation system to select programs for hackers based upon a complex set of criteria, and make sure we offer the best opportunities to hackers and the highest engagement to customers. 
  • Refined how hackers can filter and sort program invitations on the “My Programs” page to simplify how hackers identify their best opportunities for rewards.
  • Added a European HackerOne Gateway (VPN) instance to expand and speed up access to managed resources for our EMEA hackers.
  • Recruited Hacker Success Managers (HSMs) to build our internal hacker advocacy and nurture skills development for the community. We will share more details about our HSMs soon and plan to continue to recruit more to support the community further.

Second, we’ve made dedicated feature improvements and launched new products that offer more ways for hackers to earn monetary rewards and make program work easier:

  • We increased retesting windows across our products from 24 to 72 hours to give hackers more time to respond during engagements.
  • We launched HackerOne Assets, which will offer new ways for hackers to earn money on our platform by leveraging their reconnaissance skills to identify security gaps.
  • We made recent updates to our HackerOne Pentest experience, including adjusting how informative bugs found during pentests impact reputation points and signal. Soon, we’re launching a Pentester Availability Calendar for easier coordination during engagements and enhancing Pentester Fees (formerly rewards). 
  • We launched Campaigns to simplify how customers boost bounties for hackers on programs.

Finally, and most critically, we continue to examine how to refine our mediation process and incentivize customers to improve their program policies and behavior:

  • We’re launching a new program update this month to encourage customers to implement standards and best practices that improve the hacker experience on programs.
  • We will share more about our triage and mediation process this month, including a closer look at our longstanding Make It Right Fund, which HackerOne uses to pay out hackers when we determine that an organization has received value but failed to reward it. Of course, it’s better to course-correct through program education about industry best practices, so I will be documenting some case studies where mediation and the office of the Chief Hacking Officer have stepped in to correct an outcome.

We are committed to using our learnings productively and better defining baseline program behavior requirements across our platform. While this is just the beginning, I hope it excites you to know that we are working to create more and better opportunities for you, the hacker community. We appreciate everything you do for our customers and us. Together, we hit harder!

On behalf of HackerOne,

Chris Evans

Chief Hacking Officer and CISO



Source link