Triage response time is a significant issue. Many researchers are now sending reports, but there is considerable delay in responses. For example, I reported something last week that was a critical bug, but I received a reply after a month. During that month, if I had a vulnerability containing confidential customer details, I could use it and publish it on the black market. The response time and triage speed are not fast enough. This is causing many people to leave HackerOne. Another concern is that many companies delegate their triage part to HackerOne. As a HackerOne triager, something may look like a vulnerability to me, but they can close it as not applicable or anything else. However, when the company checks it themselves, they may find that it actually is a vulnerability. This happened to me before when they rejected a bug, but the company reviewed it and reopened it. There are many unfair things happening. Even though companies trust HackerOne triagers 100 percent, they should not because they leave out many unresolved issues.
HackerOne has trust from companies such as Shopify, PayPal, and Uber, which provides a stronger brand perception and competitive market positioning. However, I reduced my rating by one mark because a proper internal triage team should be in place, not as a replacement for internal security controls.
One limitation is that if a finding has been reported on HackerOne and was also reported earlier by another user or outsider, the platform is not able to collate that information together. If it is a repeated finding, we are not able to identify it automatically and must do it manually. When reporting something, the platform should indicate that it was reported in the previous year or on a specific date, which would give us more insight into what action we have taken on that issue. The reporting side is quite fine because we are using another tool for reporting purposes, so I did not find any issues there since we did not do much exploration on that side.
I think HackerOne can be improved by allowing new users to gain access to certain programs that are only open to known, renowned users. Sometimes new users don't receive invites just because they are new, despite potentially being very skilled hackers, so I feel new users should get more chances and opportunities. I am currently satisfied with the rewards, response time, and other aspects of the platform, so I don't have anything else to add about the necessary improvements. I give HackerOne a nine out of ten because if new hackers are given more opportunities, it could be a perfect 10 for me. However, the reason I gave a nine is that I don't have much to complain about; I specifically love the program and don't have many concerns.
Everything has become slower on HackerOne. I have noticed that older researchers receive all the private invites while newer ones receive fewer. The same goes for real-life events, where the same people are invited repeatedly. There are no clear guidelines for being invited to programs and conferences, and the process for receiving invitations appears arbitrary.
The ability to view the conversation between the triagers and the programs will be really good. When an issue gets reported, the understanding conveyed to the program by the triagers is not visible to the reporter. This can cause gaps between what the finder has reported and what is explained to the program. If this communication is visible, it would benefit both parties.
Response time can be improved. The HackerOne Trust team can be slow to respond sometimes. They're not using AI, which could help reduce the number of duplicate reports.
One issue I've experienced is traffic. Many people try to participate when an opportunity with a bounty of around 1,000-15,000 dollars comes up. In this case, the first person to report the vulnerability gets the bounty. If a second person reports the same vulnerability, they are marked as duplicated instead of receiving some recognition. The second person also invested time finding the issue, so I think this can be improved.
HackerOne is an industry leader in offensive security, enabling companies to identify and resolve vulnerabilities using AI and a global community of researchers. Trusted by top organizations, HackerOne enhances the software development lifecycle with comprehensive security testing.HackerOne combines artificial intelligence with a diverse community of skilled security researchers to fortify digital ecosystems. Offering bug bounty programs, vulnerability disclosure, pentesting, and AI red...
Triage response time is a significant issue. Many researchers are now sending reports, but there is considerable delay in responses. For example, I reported something last week that was a critical bug, but I received a reply after a month. During that month, if I had a vulnerability containing confidential customer details, I could use it and publish it on the black market. The response time and triage speed are not fast enough. This is causing many people to leave HackerOne. Another concern is that many companies delegate their triage part to HackerOne. As a HackerOne triager, something may look like a vulnerability to me, but they can close it as not applicable or anything else. However, when the company checks it themselves, they may find that it actually is a vulnerability. This happened to me before when they rejected a bug, but the company reviewed it and reopened it. There are many unfair things happening. Even though companies trust HackerOne triagers 100 percent, they should not because they leave out many unresolved issues.
HackerOne has trust from companies such as Shopify, PayPal, and Uber, which provides a stronger brand perception and competitive market positioning. However, I reduced my rating by one mark because a proper internal triage team should be in place, not as a replacement for internal security controls.
One limitation is that if a finding has been reported on HackerOne and was also reported earlier by another user or outsider, the platform is not able to collate that information together. If it is a repeated finding, we are not able to identify it automatically and must do it manually. When reporting something, the platform should indicate that it was reported in the previous year or on a specific date, which would give us more insight into what action we have taken on that issue. The reporting side is quite fine because we are using another tool for reporting purposes, so I did not find any issues there since we did not do much exploration on that side.
I think HackerOne can be improved by allowing new users to gain access to certain programs that are only open to known, renowned users. Sometimes new users don't receive invites just because they are new, despite potentially being very skilled hackers, so I feel new users should get more chances and opportunities. I am currently satisfied with the rewards, response time, and other aspects of the platform, so I don't have anything else to add about the necessary improvements. I give HackerOne a nine out of ten because if new hackers are given more opportunities, it could be a perfect 10 for me. However, the reason I gave a nine is that I don't have much to complain about; I specifically love the program and don't have many concerns.
Everything has become slower on HackerOne. I have noticed that older researchers receive all the private invites while newer ones receive fewer. The same goes for real-life events, where the same people are invited repeatedly. There are no clear guidelines for being invited to programs and conferences, and the process for receiving invitations appears arbitrary.
The ability to view the conversation between the triagers and the programs will be really good. When an issue gets reported, the understanding conveyed to the program by the triagers is not visible to the reporter. This can cause gaps between what the finder has reported and what is explained to the program. If this communication is visible, it would benefit both parties.
Response time can be improved. The HackerOne Trust team can be slow to respond sometimes. They're not using AI, which could help reduce the number of duplicate reports.
One issue I've experienced is traffic. Many people try to participate when an opportunity with a bounty of around 1,000-15,000 dollars comes up. In this case, the first person to report the vulnerability gets the bounty. If a second person reports the same vulnerability, they are marked as duplicated instead of receiving some recognition. The second person also invested time finding the issue, so I think this can be improved.