What is most valuable?
Using the platform as a Hacker and having run a time limited private bug bounty program, the features available are extensive. From the perspective of running a private bounty, the most valuable features include:
1. Access to an experienced and effective hacker community with measurable metrics on each. The hackers on the HackerOne platform come with a wide range of skills, with some providing general expertise and others with a broad base of knowledge. This results in reports on vulnerabilities which I had never considered or knew existed while developing my product. Additionally, the metrics help me quickly differentiate the credibility of the reports and how best to triage submissions.
2. Third party integrations, including payment systems and project management tools. HackerOne provides a number of easy to use options for paying hackers which makes it easier to do so, including handling their tax information and saving me the headaches of dealing with those details. Additionally, while I haven't tested it out yet, there is the option to integrate with third party tools like Slack which will help if my dev team grows. I've also spoken with other programs which are using these tools and integrated with private solutions, both of which have helped them manage their programs more effectively.
3. Speed. While they prepare you for it, it's amazing how quickly you get results on the platform. While not all reports result in code changes and some hackers do report invalid issues, once hackers start looking at your program, you quickly have lots to work with.
From the perspective of being a hacker:
1. Direct dialogue with a company helps you better understand their needs and discuss how vulnerabilities can affect their business. This is particularly true of application logic bugs which only a company would have true insight into the potential severity of.
2. HackerOne support is responsive and open. Whether it be opportunities to improve the platform, difficulties communicating with programs or general questions, the team has always been quick to respond and it seems as though everyone is empowered to help you out, having received responses from a wide array of team members listed on their about page (including co-founders).
3. Wide array of programs, including those that can afford bounties / those that can't, healthcare / automotive / security, etc. sectors, code based / web applications / desktop applications, etc., charitable / private / public companies. All of this results in options on how you want to spend your time hacking and potentially give back to the broader community.
How has it helped my organization?
Using HackerOne has definitely improved the security of my web application, identifying security gaps I didn't realize as a web developer.
In terms of organization, it has help me streamline my development process and coordinate fixing issues while staying on course with broader development timelines. As mentioned above, it saved me time of having to figure out the logistics of paying researchers, including handling their tax information, etc.
Using HackerOne, I also didn't have to spend time figuring out how to install or integrate anything since the entire platform is offered as an online Software as a Service. As a result, any issues I have with the platform are handled by them, often with a engineering team member following up with me.
What needs improvement?
HackerOne provides a "HackBot" which helps identify other relevant reports, including duplicates, public reports from other companies, etc. However, the functionality is limited and it would be nice to integrate it with broader services offered like auto responses, triggers, etc.
The only integration HackerOne offers out of the box is Slack. While I haven't had a need for others yet, it would be nice to see more offered out of the box. However, their team does provide help with integrations but eliminating the middle man would be nice.
For how long have I used the solution?
A little less than a year.
What was my experience with deployment of the solution?
No, since it's software as a service (SaaS).
What do I think about the stability of the solution?
No, never had any issues.
What do I think about the scalability of the solution?
How are customer service and technical support?
Great, they are responsive and I've received responses from all levels of the company (including responses from Co-Founders). Technical Support
Great. While I've only had a couple issues, they have been responded to by the engineering team.
Which solution did I use previously and why did I switch?
Previously used a custom project tracker to track issues and relied on finding issues myself or hearing from end users.
How was the initial setup?
It was simple since HackerOne owns the product, hosting, etc.
What was our ROI?
Haven't evaluated this but it has identified a number of security issues which I never would have considered or knew could be exploited.
What's my experience with pricing, setup cost, and licensing?
HackerOne charges 20% for awards, so if a hacker receives $1000, they receive $200. I also believe there is a subscription option for larger companies.
Which other solutions did I evaluate?
I just looked at HackerOne having received quick responses to all of my initial questions with helpful followups.
What other advice do I have?
I was pleasantly surprised by the variety of security issues which were reported, some of which I had never considered or even knew existed.
Which version of this solution are you currently using?
N/A - SaaS