HackerOne Reviews

Our main use case for HackerOne is to create a bridge between the organization and a global community of ethical hackers where we ask them to find bugs in our environment, and based on that, they provide us the bugs we have.

A quick example of how I've used HackerOne is that it provides us bug bounty programs and vulnerability disclosure programs where multiple bug bounty hunters submit their findings about the organization, and those vulnerabilities or bugs are fixed by us. For instance, we received many alerts about expired or mismatched SSL certificates.

We utilize HackerOne's web page where we log in to see what vulnerabilities are there and what else has been discovered, and based on that, we pick and work on the issues we need to fix.

HackerOne offers bug bounty programs, vulnerability disclosure programs, red teaming, attack surface management, and other valuable features.

I find bug bounty programs most valuable for our organization because they invite researchers from around the globe to find bugs in our environment, allowing us to fix various severity vulnerabilities or bugs that, if left unaddressed, could lead to losing customers.

HackerOne has positively impacted my organization as hiring red teamers to find vulnerabilities would have taken a lot of time, but through HackerOne, we access a vast number of ethical hackers who help identify bugs, which is invaluable for us.

HackerOne is already doing well, although I believe implementing stricter SLAs for the time to first response and time to bounty would help prevent researchers' burnout, especially regarding duplicate submissions.

I suggest systematic bug rewards because currently, if a researcher finds one bug in multiple places, they often only get paid for one. Improving the handling of systemic vulnerabilities would encourage deeper research. Additionally, improving multi-currency and crypto payout options would help make the platform more accessible globally.

I work in my current field for 7.5 years.

HackerOne is stable.

HackerOne's scalability is designed to solve noise problems that typically kill security programs as they grow. It maintains a high signal-to-noise ratio and addresses scalability through infrastructure, triage services, and AI automation, ensuring it handles more reports effectively.

Customer support can improve, as there are instances of ghosting that need to be addressed. I would rate customer support a six out of ten.

I am using HackerOne only, with no previous solutions.

I'm not very sure about pricing, setup costs, and licensing, as those are managed by our management team.

We are just a customer of HackerOne, without any business relationship beyond that.

I notice a return on investment through the group of researchers at HackerOne identifying vulnerabilities, saving us money, time, and manpower, with the efficiency of HackerOne allowing them to accomplish in three to four hours what would take two red teamers a whole day.

I'm not very sure about pricing, setup costs, and licensing, as those are managed by our management team.

Before choosing HackerOne, we evaluated competitors such as Bugcrowd and Intigriti but opted for HackerOne due to its typical rating of 8.5 out of 10 and its enterprise-grade programs.

My advice for others looking into using HackerOne is that it stands above competitors such as Bugcrowd, Intigriti, and Synack, making HackerOne preferable. We covered all the important points regarding HackerOne. I gave this review a rating of 8 out of 10.

My main use case for HackerOne is bug bounties and getting paid through that platform. Companies like Fastify and Oracle create bug bounties and vulnerability disclosure programs on HackerOne. Ethical hackers test the company's applications, websites, APIs, and systems for security issues. Whenever a vulnerability is found, we can submit it as a report to the platform, and then the company reviews the report. If there is a bug related to that issue, they can fix it and reward the researcher based on the severity of the vulnerability. HackerOne acts as a trusted intermediary.

HackerOne is a platform where bug bounty hunters can come to one place to find opportunities. Whenever a company raises a new web application and wants continuous security testing, they can publish it on HackerOne. HackerOne has testers and workers who are continuously testing for vulnerabilities and reporting those findings. For example, a researcher can find cross-site scripting vulnerabilities in a user comment section.

I have a specific example of how I have used HackerOne in a real situation. I personally used it for finding a bug in one of the applications. In one application, whenever we clicked on the login button three times, we were able to go to the home page. After logging in, if we clicked back three times and then clicked again after logout, we were able to go to the home page again because the session storage was not getting stored properly. I reviewed that and raised a report against that vulnerability for a company known as Adwords.

HackerOne provides a platform for both developers and bounty hunters, as well as companies to publish their applications and get paid through bug bounty programs and vulnerability disclosure programs. HackerOne offers report management, triage, a large research community, severity and risk assessment, workflow integration, analytics and reporting, and many other features. One of the biggest strengths is combining a large community of ethical hackers with a structured platform that helps organizations discover, manage, and remediate security vulnerabilities efficiently.

The community aspect of HackerOne helps me personally and helps organizations because they can leverage a global community of ethical hackers to find vulnerabilities before any attackers do. HackerOne functions as a UAT environment where people can test the application, and after the UAT environment, there is a place where testing can be done by breaking the product. Breaking the product is important to test the product thoroughly. HackerOne can be the solution for that when you want to test your product thoroughly, as sometimes breaking the product is the best testing approach. HackerOne can be integrated into tools such as Jira, Slack, and GitHub to streamline the remediation. It also provides a dashboard and insights into security trends, response time, and program performance, which is very helpful for an organization to get their product tested and to get insights about it.

HackerOne can be improved, and the insights can be a little better. I chose a nine for my rating because it has very great features such as a large research community, workflow integration, analytics and reporting, bug bounty programs, and vulnerability disclosure programs. However, some things can be improved, such as better report deduplication by automatically identifying duplicate vulnerability reports more accurately. In the current era of AI, enhancing AI accuracy and AI-assisted triaging would be beneficial.

More advanced AI capabilities would help prioritize reports, reduce false positives, and speed up the validation. For example, not being able to log in is a very high priority rather than a user not being able to get the current date or current time. In applications, if the user is not able to type something, that is the highest priority, rather than the user typing something, getting the information, but on the last page getting something random. That is not a major bug compared to the other issue. Prioritizing through AI can be a better approach.

I have been using HackerOne for around 3.5 years.

HackerOne is quite stable.

HackerOne's scalability is very strong.

HackerOne's customer support is very great.

I did not use any previous solution before HackerOne, but I have knowledge about Bugcrowd and Intigriti, which are in the European region.

The pricing of HackerOne is good and very great from a pricing perspective. The setup cost is not very much and is very minimal. From a setup cost perspective, the onboarding is relatively straightforward. The organization just needs to define the scope of assets that they need to be tested, configure what workflows they need to be tested, and establish the policies for handling any reports.

I have definitely seen a return on investment because every time our application goes to UAT, it is tested by our sales people. However, sometimes the sales people can disregard something or forget to test something. In those cases, HackerOne platform is very good because it provides a great place to test the applications. I haven't seen any specific ROI metrics, but my general impression is that HackerOne provides strong value by helping organizations find vulnerabilities faster and reduce the higher costs associated with security breaches.

I evaluated a few options such as Bugcrowd and Intigriti before going to HackerOne.

My organization does not use HackerOne as a product, but I personally use HackerOne because I am an ethical hacker who uses it to test different applications and try to find vulnerabilities. The reason I do it is to get more information about the different applications, to learn through that experience, and to find how to identify problems in an application. It increases my knowledge regarding any subject, which is very helpful for me.

HackerOne has helped me learn, and there is one technique that I got to pick up. At one place, I was finding a cross-site script issue. There was an API for an order that was passing in the query parameter as the ID of the customer. The order ID and customer ID were getting passed as the query parameter. Whenever we changed that query parameter and if we had the JSON Web Token for authentication, we were able to get the data of other customers as well. This can be protected if you use some other particular tokens and the payload can be tested properly. I got to know about this problem, which improved my knowledge in back-end writing, especially regarding writing the back-end in APIs. That is one area that I have handled.

Regarding HackerOne's AI capabilities, I think the accuracy is very good. Up until now, I have not used its AI features, but the accuracy appears to be good. I gave HackerOne a rating of nine out of ten based on my overall experience with the platform.

My main use case for HackerOne is mostly for submitting bugs. I get into the programs listed there, find one that is suitable for me, do my penetration testing on the systems, try to bypass some controls, and if I find a bug, I submit it on HackerOne.

A specific example of a bug I found and submitted through HackerOne that stood out to me involves race conditions because they resonate with me as a unique type of bug. If you can submit simultaneous requests to a program or a system and it fails to queue those requests properly, you end up getting the same response for multiple requests, which I find incredible, so I tend to focus on race conditions.

I use HackerOne as an individual, primarily as a side hustle. While I'm working for the organization, I do projects related to it, but in my free time, I get into HackerOne and try to hack other systems that are not related to my organization, helping other organizations enhance their security.

Once I submit any bug on HackerOne and it's verified, a team member from that specific organization fixes the bug. After it has been fixed, I have to retest it, as well as the HackerOne team, to ensure it has been fixed, and then I can confirm it on my end, ultimately making the organization much more secure.

In my experience, the best features HackerOne offers include a simple user interface. When I first got into using HackerOne, I did not have anyone to guide me, so I just registered, logged in, and quickly figured out how to filter the scope, filter organizations, and choose which system to try and hack. It has a very simple user interface, and it gives you a quick response—if you submit a bug, someone reaches out to you within minutes, telling you they will verify the bug, and it can be verified in just a few days, sometimes even less than a day, which stands out for me.

The fast verification process impacts my motivation significantly because a quick response keeps me motivated. I feel that having someone respond in minutes is encouraging, and if I'm going to try and hunt bugs today, I would appreciate a response within the day or at least within a few days. Some programs take long to respond, and then you lose motivation; so for me, the quick responses motivate me to continue submitting bugs.

I also appreciate the ability to filter programs on HackerOne. I like to focus on web applications, so when I log in and look at the available programs, I can filter specifically for ones related to domains, making it much easier compared to sifting through all programs to find domain-related ones or web, API, etc.

I think HackerOne can be improved by allowing new users to gain access to certain programs that are only open to known, renowned users. Sometimes new users don't receive invites just because they are new, despite potentially being very skilled hackers, so I feel new users should get more chances and opportunities.

I am currently satisfied with the rewards, response time, and other aspects of the platform, so I don't have anything else to add about the necessary improvements.

I give HackerOne a nine out of ten because if new hackers are given more opportunities, it could be a perfect 10 for me. However, the reason I gave a nine is that I don't have much to complain about; I specifically love the program and don't have many concerns.

I have been working in my current field since 2020, so by the end of this year, I'll be clocking six years.

HackerOne is stable for me; I have no complaints regarding uptime or reliability.

HackerOne's scalability works well, as it can handle a growing number of users or submissions smoothly.

I've never had to reach out to customer support, so I don't have any comments on that experience.

I have not used any other solution for bug bounty or vulnerability submissions; just HackerOne.

I have not experienced any costs since I use HackerOne independently, just logging into the site, hunting bugs, and submitting them without any expenses.

Before choosing HackerOne, I evaluated other options like Yes We Hack and Bugcrowd.

I would highly advise others looking into using HackerOne to start using it for the great experience, great response time, and good rewards; I would highly recommend it. My company does not have any business relationship with HackerOne other than being a customer. I was offered a gift card or incentive for this review. The review rating is 9 out of 10.

I use HackerOne for the bug bounty platform to find security issues. When we discover vulnerabilities, we receive awards for them.

Before testing any new payment API for public release, we can have time-bound testing with expert-selected hackers. I have been part of that community to test different applications and identify vulnerabilities so that companies can get an overview before reaching the job market.

HackerOne has impacted my work through testing other applications. Ethical hackers on the platform can test thoroughly from end to end, providing new features and insights that give companies and products a competitive edge.

For example, Uber Technologies ran a production bug where user data could be accessed by changing the user ID in the API request, allowing receipts to be downloaded for any particular user. This bug was present in production and was not found by others. It prevents data leaks and regulatory fines that would occur if the bug reached the real world, while also protecting customer trust.

Improvements are visible across internal security testing. Now, 24/7 global ethical hackers testing should be in place to improve the critical vulnerabilities before we reach production. Faster detection and remediation can be accomplished.

HackerOne's bug bounty programs are excellent, and penetration testing is also very good. Security testing of any application can be performed before launching a feature.

HackerOne is a very good platform with the trust of different companies including Shopify, PayPal, and Uber. This creates a stronger brand perception and competitive market positioning.

HackerOne has trust from companies such as Shopify, PayPal, and Uber, which provides a stronger brand perception and competitive market positioning. However, I reduced my rating by one mark because a proper internal triage team should be in place, not as a replacement for internal security controls.

I have been using HackerOne since my college days, for about four years.

HackerOne is very stable.

HackerOne is very scalable because we can put bounties for any number of hackers at the same time and test thoroughly. It also grows with the organization's security needs.

We have not faced significant issues requiring customer support, but we did have one experience. HackerOne provides many levels of customer support. We have priority support because we are a higher tier, and with high report volumes, the turnaround time is very good.

Positive

We did not use any other solutions before HackerOne. This was our first approach.

We used a subscription for the platform and purchased payouts to the hackers for bounty payments.

The ethical hackers and team members involved in testing will have better outcomes. However, there is no fixed public pricing.

We have seen return on investment. There is no upfront licensing price, and costs depend upon the scope, number of assets, team size, and support level.

We did not evaluate another option, but we considered Bugcrowd as an alternative. Bugcrowd offers crowd-sourced security testing and bug bounty programs similar to HackerOne.

There was an event related to bug bounty in which I participated. I could find an issue but could not identify the actual root cause. It was from Uber Technologies involving an insecure direct object reference vulnerability. The user ID in an API request allowed access to another user's trip receipts. This was a gift card-related issue. I would rate this review as nine out of ten.

I have projects and companies reaching out to me to conduct security testing and find issues in their systems. I use HackerOne for that purpose.

You can collaborate with anyone who is interested in collaborating with you on a report. You can add them and split the bounty accordingly.

If you have a very critical vulnerability, some good companies will acknowledge it and pay you accordingly based on severity. For one of the vulnerabilities that was very severe, the company acknowledged it and paid me more than $2,000 USD.

Triage response time is a significant issue. Many researchers are now sending reports, but there is considerable delay in responses. For example, I reported something last week that was a critical bug, but I received a reply after a month. During that month, if I had a vulnerability containing confidential customer details, I could use it and publish it on the black market. The response time and triage speed are not fast enough. This is causing many people to leave HackerOne.

Another concern is that many companies delegate their triage part to HackerOne. As a HackerOne triager, something may look like a vulnerability to me, but they can close it as not applicable or anything else. However, when the company checks it themselves, they may find that it actually is a vulnerability. This happened to me before when they rejected a bug, but the company reviewed it and reopened it. There are many unfair things happening. Even though companies trust HackerOne triagers 100 percent, they should not because they leave out many unresolved issues.

I am currently using Intigriti.

HackerOne was down for some time and the response was not good. There have been some issues regarding stability in recent times.

HackerOne is easily scalable.

ROI is based on the time spent and the level of effort you put in. The ROI is very low nowadays. It is only good for some people, particularly big hackers with automation setups. For someone who is starting or in the middle, it is very difficult because you can spend 20 hours sending 20 reports but none of them gets anything. So the ROI is very low for some people and much higher for others.

I prefer Intigriti more than HackerOne because they have very good triagers who listen to you. Their response time is based on the severity. If I file a critical bug, their response time is quite good. The quality of triage is very good and they have very clear policies without anything random.

There are many social platforms where you can find perspectives on addressing vulnerabilities. I give out solutions based on our current technology. HackerOne has their own blogs and partnerships with many vendors, so they publish reports and preventive measures for various things and patches. My overall rating for HackerOne is 6 out of 10.

I am currently using Wiz, a scanning solution for cloud, to see if we are collecting reviews for any of these tools. My company has bought the license for Wiz, and we are using it as consumers.

HackerOne is used for bug bounty management. Whenever outsiders report any public-facing vulnerabilities or faults in our public-facing websites or domains, we receive a notification, validate it, and award bounties accordingly.

The ease of collaboration with ethical hackers on HackerOne has been quite good. From my experience, they respond when we do not have enough information on the findings.

Since starting work with HackerOne six months ago, we had other previous tools as well. HackerOne has been the right fit for our current situation.

The steps to reproduce are valuable aspects of HackerOne, and the AI capabilities have been more useful.

The customizable bounty programs have helped attract high-quality insights for us.

I find the AI and customizable features useful because they help us summarize information from a layman's perspective as well as for a technical person.

One limitation is that if a finding has been reported on HackerOne and was also reported earlier by another user or outsider, the platform is not able to collate that information together. If it is a repeated finding, we are not able to identify it automatically and must do it manually.

When reporting something, the platform should indicate that it was reported in the previous year or on a specific date, which would give us more insight into what action we have taken on that issue.

The reporting side is quite fine because we are using another tool for reporting purposes, so I did not find any issues there since we did not do much exploration on that side.

The ease of collaboration with ethical hackers on HackerOne has been quite good. From my experience, they respond when we do not have enough information on the findings.

Positive

Since starting work with HackerOne six months ago, we had other previous tools, though I do not remember their names now. HackerOne has been the right fit for our current situation from both a functionality and cost-effectiveness perspective.

When I took on the bug bounty program, HackerOne was already being used, possibly due to cost considerations or its functionality.

I do have experience with other solutions, but currently I am not using them. I am using some other solutions now. We are exploring additional options but have not yet implemented them. My overall rating for this product is 8 out of 10.

My use case is similar to DuckTron. The processes I use for DuckTron are exactly the same for HackerOne. Therefore, there isn't much of a difference. I use HackerOne for finding vulnerabilities and reporting them, then receiving rewards akin to a bug bounty program. 

Within my organization, HackerOne is used for vulnerability coordination through its user interface, which lists programs and websites for reporting vulnerabilities.

HackerOne is larger than WebCloud and has a better reputation than BugCloud, which results in a smoother process. Both platforms are similar in using their interfaces to list programs and facilitate reporting vulnerabilities, whether public or private.

Everything has become slower on HackerOne. I have noticed that older researchers receive all the private invites while newer ones receive fewer. The same goes for real-life events, where the same people are invited repeatedly. There are no clear guidelines for being invited to programs and conferences, and the process for receiving invitations appears arbitrary.

I have used it for the same duration as other cloud services.

I have never faced any stability issues on HackerOne for the past four years. Everything was always completely smooth.

HackerOne has high scalability. It is a large platform with many programs and clients, so I would rate it a nine out of ten.

Technical support at HackerOne has slowed down considerably compared to four years ago. Previously, the support was quicker and more detailed, which is not the case now.

I have tried Integrity and reported vulnerabilities there, and I have tried SVHack. However, I spend 90% of my time on HackerOne.

The initial setup is simple and straightforward, which I would rate a nine out of ten. I have never faced any difficulties during this process.

HackerOne is free of cost for us. We receive rewards without needing to invest any money, so the return on investment is substantial.

The cost is rated as one since there is no need to pay anything, not even a fee or commission.

I have tried other platforms like Integrity and YesLack, however, I focus most of my time on HackerOne.

I rate HackerOne a nine out of ten. 

It is slightly better than BugCloud. While some aspects have slowed down, HackerOne is still a strong platform for enhancing skills and offers an excellent initial setup. They should improve their invitation process.

I use the tool for hacking, practicing, and doing responsible vulnerability disclosure.

I don't use the tool in my day-to-day work. It's more for freelancing. I search for open platforms where I can do penetration testing on websites. If I find any bugs or vulnerabilities, I get paid. So, I do it as a freelancing activity, and it's really helpful.

Apart from getting all the bug bounty opportunities, we also get the chance to practice in a safe environment, like a demo setup. These features are great for beginners who want to explore bug bounties in the future.

One issue I've experienced is traffic. Many people try to participate when an opportunity with a bounty of around 1,000-15,000 dollars comes up. In this case, the first person to report the vulnerability gets the bounty. If a second person reports the same vulnerability, they are marked as duplicated instead of receiving some recognition. The second person also invested time finding the issue, so I think this can be improved.

I have been using the product for three to four years. 

HackerOne is stable. 

I haven't contacted the tool's technical support yet. 

I decided to go with HackerOne because I have experience with three bug bounty platforms: HackerOne and Bugcrowd. With Bugcrowd, you have to search for opportunities. In contrast, HackerOne presents opportunities directly when you log in. Additionally, other platforms' server response time and reporting methods are longer compared to HackerOne. HackerOne's reporting process is straightforward, with dropdown options for selecting the website and type of vulnerability.

The solution doesn't need an installation since it's a SaaS model. It's very easy to use. When you log in for the first time, you'll directly see the opportunities page, where companies are ready for you to hack. The opportunities are right before you, so you don't have to search for them like on other platforms. 

The tool is open-source and free for bug bounty hunters. 

In college, I started using HackerOne and taught my 10-20 juniors how to use it. I'm sure they might still be using it in their lives right now. The biggest challenge integrating HackerOne into my existing security protocols has been on my side, not the tool's. I need to take the time out to use and practice with it, but currently, I'm unable to give it the time I used to. There's no issue from the application side.

To use the tool, you first need a basic knowledge of cybersecurity terms, like exploits and vulnerabilities, and how to identify them. Once familiar with these basics, you can learn more from the resources and platforms HackerOne provides. They offer tickets and guides to help you understand the methods for finding and exploiting vulnerabilities.

Before deciding to use the solution in your organization, consider the purpose. HackerOne is a multi-platform. If the goal is to spread awareness about cybersecurity or to make the security team more active in learning about hacking methods and new vulnerabilities, then it can be very effective. It allows the team to earn extra money while learning and exploring new vulnerabilities in the market, potentially even finding zero-day vulnerabilities.

I would rate HackerOne around an eight to nine out of ten. The application is simple to use, offering numerous opportunities and scopes for exploration. It covers many platforms, including web, Android, and iOS applications. However, the high traffic can sometimes be a drawback. If they manage this issue by implementing features like consolidation pricing for duplicate vulnerabilities, it could easily be a ten out of ten.

I mainly use it for downtime activities, earning extra cash alongside a full-time job, and to get new sales and profits.

It helps me to get new sales, profits, and other benefits.

The main thing I like about HackerOne is that it provides a direct way to contact the program directly without the need to wait for weeks to get issues finalized and validated. They have streamlined the complete process, which gives a sense of security to the users.

The ability to view the conversation between the triagers and the programs will be really good. When an issue gets reported, the understanding conveyed to the program by the triagers is not visible to the reporter. This can cause gaps between what the finder has reported and what is explained to the program. If this communication is visible, it would benefit both parties.

I have been using it for over three years, around three years.

I have not had any issues with stability like bugs or breakdowns.

The scalability is good. It is easy to scale up or down data.

The responsiveness has been good.

Positive

I did not use any different solution before using HackerOne.

The initial setup is not rocket science. It is something easy.

It is free.

The improvements which I have listed should be considered.

Using the platform as a Hacker and having run a time limited private bug bounty program, the features available are extensive. From the perspective of running a private bounty, the most valuable features include:

1. Access to an experienced and effective hacker community with measurable metrics on each. The hackers on the HackerOne platform come with a wide range of skills, with some providing general expertise and others with a broad base of knowledge. This results in reports on vulnerabilities which I had never considered or knew existed while developing my product. Additionally, the metrics help me quickly differentiate the credibility of the reports and how best to triage submissions.

2. Third party integrations, including payment systems and project management tools. HackerOne provides a number of easy to use options for paying hackers which makes it easier to do so, including handling their tax information and saving me the headaches of dealing with those details. Additionally, while I haven't tested it out yet, there is the option to integrate with third party tools like Slack which will help if my dev team grows. I've also spoken with other programs which are using these tools and integrated with private solutions, both of which have helped them manage their programs more effectively.

3. Speed. While they prepare you for it, it's amazing how quickly you get results on the platform. While not all reports result in code changes and some hackers do report invalid issues, once hackers start looking at your program, you quickly have lots to work with.

From the perspective of being a hacker:

1. Direct dialogue with a company helps you better understand their needs and discuss how vulnerabilities can affect their business. This is particularly true of application logic bugs which only a company would have true insight into the potential severity of.

2. HackerOne support is responsive and open. Whether it be opportunities to improve the platform, difficulties communicating with programs or general questions, the team has always been quick to respond and it seems as though everyone is empowered to help you out, having received responses from a wide array of team members listed on their about page (including co-founders).

3. Wide array of programs, including those that can afford bounties / those that can't, healthcare / automotive / security, etc. sectors, code based / web applications / desktop applications, etc., charitable / private / public companies. All of this results in options on how you want to spend your time hacking and potentially give back to the broader community.

Using HackerOne has definitely improved the security of my web application, identifying security gaps I didn't realize as a web developer.

In terms of organization, it has help me streamline my development process and coordinate fixing issues while staying on course with broader development timelines. As mentioned above, it saved me time of having to figure out the logistics of paying researchers, including handling their tax information, etc.

Using HackerOne, I also didn't have to spend time figuring out how to install or integrate anything since the entire platform is offered as an online Software as a Service. As a result, any issues I have with the platform are handled by them, often with a engineering team member following up with me.

HackerOne provides a "HackBot" which helps identify other relevant reports, including duplicates, public reports from other companies, etc. However, the functionality is limited and it would be nice to integrate it with broader services offered like auto responses, triggers, etc.

The only integration HackerOne offers out of the box is Slack. While I haven't had a need for others yet, it would be nice to see more offered out of the box. However, their team does provide help with integrations but eliminating the middle man would be nice.

A little less than a year.

No, since it's software as a service (SaaS).

No, never had any issues.

No.

Great, they are responsive and I've received responses from all levels of the company (including responses from Co-Founders).

Great. While I've only had a couple issues, they have been responded to by the engineering team.

Previously used a custom project tracker to track issues and relied on finding issues myself or hearing from end users.

It was simple since HackerOne owns the product, hosting, etc.

Haven't evaluated this but it has identified a number of security issues which I never would have considered or knew could be exploited.

HackerOne charges 20% for awards, so if a hacker receives $1000, they receive $200. I also believe there is a subscription option for larger companies.

I just looked at HackerOne having received quick responses to all of my initial questions with helpful followups.

I was pleasantly surprised by the variety of security issues which were reported, some of which I had never considered or even knew existed.