One of the best BB platform
What do you like best about the product?
I appreciate being connected with a relevant community, which enables us to identify serious and impactful vulnerabilities across our scope. The ticketing interface is quite user friendly, and I found the initial setup of the HackerOne Platform quite easy.
What do you dislike about the product?
I believe HackerOne should introduce an ACK status to acknowledge the initial review of a report.
What problems is the product solving and how is that benefiting you?
The HackerOne Platform enables me to engage with a community that helps identify serious and impactful vulnerabilities across our scope.
Straightforward, Practical Vulnerability Management with Clear Visibility
What do you like best about the product?
I like how straightforward and practical it is. It makes it easy to work with hackers, keep track of vulnerabilities, and manage everything in one place without it feeling heavy or complicated. It also gives good visibility into what actually matters, which helps when you need to explain things to leadership or prioritize fixes.
What do you dislike about the product?
For busy programs, the number of notification emails that arrive every morning can be very confusing. It would be really helpful if these updates could be summarized so it’s clearer what’s happening at a glance. Right now, some emails include responses from the HackerOne team, while others are usually responses from our team, and it’s hard to quickly tell them apart. A simple summary would make it much easier to keep everything organized and easy to follow.
What problems is the product solving and how is that benefiting you?
It centralizes vulnerability reporting, triage, and remediation in one place, which makes the overall process much easier to manage. It reduces noise and helps us focus on the real, high-impact risks instead of getting distracted by low-value findings. It also provides clear ownership, tracking, and visibility into vulnerabilities, so nothing gets lost and progress is easy to follow. Communication with stakeholders is smoother, and collaboration with hackers feels more structured and productive. Overall, it enables faster and more consistent remediation across teams.
Powerful Bug Bounty Platform with Room for Improvements
What do you like best about the product?
I love the quality of the researcher community on the HackerOne Platform. The reports we receive are usually well written and reproducible, which makes our job way easier. It really helps us scale our security testing by allowing external researchers to find issues like IDORs, SSRFs, and logic flaws, which is huge. The triage and payout flow save us a lot of time. Additionally, their team helped with the smooth setup by scoping the program and defining policy.
What do you dislike about the product?
The dashboard can feel a bit cluttered when you have a lot of reports, and reporting/analytics could be more flexible. Pricing also gets pretty steep as you scale. Custom dashboards and exports are a bit limited. We'd love to slice data by asset, severity, and time more freely, and pull cleaner CSV/API data for our own BI tools. Trend reports across programs would also help.
What problems is the product solving and how is that benefiting you?
I use HackerOne Platform to scale our security testing, engage external security researchers, and triage reports efficiently. It saves us time with structured payouts and tracking vulnerabilities.
Competent Triaging, but Automation Needs Improvement
What do you like best about the product?
I like that the second-tier triager on the HackerOne Platform is quite competent. He’s nearly always right, which saves me many hours because he’s very often right.
What do you dislike about the product?
The automations are broken, and the early warning system is really trigger happy. Being more reliable—right now, our automations are mostly broken. Ram and HAI issues.
What problems is the product solving and how is that benefiting you?
HackerOne Platform provides a place for the public to send us bugs and handles their validation and rewards, saving me many hours.
Vital for Security with Top Hackers
What do you like best about the product?
I appreciate that the HackerOne Platform gives us access to some of the top hackers in the world. The platform provides best in class tooling for us to manage their reports. By having top hackers, we are more likely to find serious security issues before adversaries do.
What do you dislike about the product?
Triage can be slow and painful, or make mistakes because they don't know the product as well as company employees. The premiums to run on the platform can be quite high, especially relative to professional services hours actually given or triage times.
What problems is the product solving and how is that benefiting you?
It allows us to receive responsible disclosure of security vulnerabilities from researchers and hackers in exchange for financial compensation.
Streamlined Security with Expert Support
What do you like best about the product?
I like the ease of understanding the report and the triaging done by the HackerOne team. It saves a lot of time for us since the initial triaging is done by them, and then they provide us with a final detailed report that we can work on directly. The expertise from the HackerOne team makes it easier for us to have back and forth questions if we have any technical questions related to the findings. They also coordinate with the researcher, which solves a lot of problems for us. The initial setup was pretty much straightforward and didn't take much time. The guided setup made it easy for us to set up and onboard members.
What do you dislike about the product?
Nothing in particular. Maybe, yeah. I think probably if HackerOne conducts events where organizations are invited and maybe they can give a walk through about the product and any new features, that would be something useful.
What problems is the product solving and how is that benefiting you?
I use HackerOne Platform to get reports from researchers, helping us strengthen our product by identifying and fixing gaps we couldn't find ourselves. This leads to more detailed analysis and better product improvement.
Crowdsourced security has strengthened our bug discovery and improved vulnerability response
What is our primary use case?
Our main use case for HackerOne is to create a bridge between the organization and a global community of ethical hackers where we ask them to find bugs in our environment, and based on that, they provide us the bugs we have.
A quick example of how I've used HackerOne is that it provides us bug bounty programs and vulnerability disclosure programs where multiple bug bounty hunters submit their findings about the organization, and those vulnerabilities or bugs are fixed by us. For instance, we received many alerts about expired or mismatched SSL certificates.
We utilize HackerOne's web page where we log in to see what vulnerabilities are there and what else has been discovered, and based on that, we pick and work on the issues we need to fix.
What is most valuable?
HackerOne offers bug bounty programs, vulnerability disclosure programs, red teaming, attack surface management, and other valuable features.
I find bug bounty programs most valuable for our organization because they invite researchers from around the globe to find bugs in our environment, allowing us to fix various severity vulnerabilities or bugs that, if left unaddressed, could lead to losing customers.
HackerOne has positively impacted my organization as hiring red teamers to find vulnerabilities would have taken a lot of time, but through HackerOne, we access a vast number of ethical hackers who help identify bugs, which is invaluable for us.
What needs improvement?
HackerOne is already doing well, although I believe implementing stricter SLAs for the time to first response and time to bounty would help prevent researchers' burnout, especially regarding duplicate submissions.
I suggest systematic bug rewards because currently, if a researcher finds one bug in multiple places, they often only get paid for one. Improving the handling of systemic vulnerabilities would encourage deeper research. Additionally, improving multi-currency and crypto payout options would help make the platform more accessible globally.
For how long have I used the solution?
I work in my current field for 7.5 years.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
HackerOne's scalability is designed to solve noise problems that typically kill security programs as they grow. It maintains a high signal-to-noise ratio and addresses scalability through infrastructure, triage services, and AI automation, ensuring it handles more reports effectively.
How are customer service and support?
Customer support can improve, as there are instances of ghosting that need to be addressed. I would rate customer support a six out of ten.
Which solution did I use previously and why did I switch?
I am using HackerOne only, with no previous solutions.
How was the initial setup?
I'm not very sure about pricing, setup costs, and licensing, as those are managed by our management team.
What about the implementation team?
We are just a customer of HackerOne, without any business relationship beyond that.
What was our ROI?
I notice a return on investment through the group of researchers at HackerOne identifying vulnerabilities, saving us money, time, and manpower, with the efficiency of HackerOne allowing them to accomplish in three to four hours what would take two red teamers a whole day.
What's my experience with pricing, setup cost, and licensing?
I'm not very sure about pricing, setup costs, and licensing, as those are managed by our management team.
Which other solutions did I evaluate?
Before choosing HackerOne, we evaluated competitors such as Bugcrowd and Intigriti but opted for HackerOne due to its typical rating of 8.5 out of 10 and its enterprise-grade programs.
What other advice do I have?
My advice for others looking into using HackerOne is that it stands above competitors such as Bugcrowd, Intigriti, and Synack, making HackerOne preferable. We covered all the important points regarding HackerOne. I gave this review a rating of 8 out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Hackerone Platform Review
What do you like best about the product?
Some of the best researchers in the world are on Hackerone. I’m also impressed with how Hackerone managers work with clients: even though thousands of reports come into the H1 triage queue, if you need to escalate something on a report, the platform managers take action and help get it reviewed.
What do you dislike about the product?
There’s really nothing to dislike. I understand that, from an H1 triage perspective, when they receive thousands of reports, it’s tough to triage every single one. However, sometimes they leave even a critical vulnerability for a week if we don’t raise the concern with their manager to get it reviewed.
What problems is the product solving and how is that benefiting you?
Sometimes researchers find RCE or command injection issues and provide a properly working proof of concept. That’s exactly what an organization needs at that point in time, because it helps them understand whether they are affected.
Collaboration on security findings has improved results but slow triage responses limit impact
What is our primary use case?
I have projects and companies reaching out to me to conduct security testing and find issues in their systems. I use HackerOne for that purpose.
What is most valuable?
You can collaborate with anyone who is interested in collaborating with you on a report. You can add them and split the bounty accordingly.
If you have a very critical vulnerability, some good companies will acknowledge it and pay you accordingly based on severity. For one of the vulnerabilities that was very severe, the company acknowledged it and paid me more than $2,000 USD.
What needs improvement?
Triage response time is a significant issue. Many researchers are now sending reports, but there is considerable delay in responses. For example, I reported something last week that was a critical bug, but I received a reply after a month. During that month, if I had a vulnerability containing confidential customer details, I could use it and publish it on the black market. The response time and triage speed are not fast enough. This is causing many people to leave HackerOne.
Another concern is that many companies delegate their triage part to HackerOne. As a HackerOne triager, something may look like a vulnerability to me, but they can close it as not applicable or anything else. However, when the company checks it themselves, they may find that it actually is a vulnerability. This happened to me before when they rejected a bug, but the company reviewed it and reopened it. There are many unfair things happening. Even though companies trust HackerOne triagers 100 percent, they should not because they leave out many unresolved issues.
For how long have I used the solution?
I am currently using Intigriti.
What do I think about the stability of the solution?
HackerOne was down for some time and the response was not good. There have been some issues regarding stability in recent times.
What do I think about the scalability of the solution?
HackerOne is easily scalable.
What was our ROI?
ROI is based on the time spent and the level of effort you put in. The ROI is very low nowadays. It is only good for some people, particularly big hackers with automation setups. For someone who is starting or in the middle, it is very difficult because you can spend 20 hours sending 20 reports but none of them gets anything. So the ROI is very low for some people and much higher for others.
Which other solutions did I evaluate?
I prefer Intigriti more than HackerOne because they have very good triagers who listen to you. Their response time is based on the severity. If I file a critical bug, their response time is quite good. The quality of triage is very good and they have very clear policies without anything random.
What other advice do I have?
There are many social platforms where you can find perspectives on addressing vulnerabilities. I give out solutions based on our current technology. HackerOne has their own blogs and partnerships with many vendors, so they publish reports and preventive measures for various things and patches. My overall rating for HackerOne is 6 out of 10.
Ethical hacking has strengthened security testing and prevents critical data exposure
What is our primary use case?
I use HackerOne for the bug bounty platform to find security issues. When we discover vulnerabilities, we receive awards for them.
Before testing any new payment API for public release, we can have time-bound testing with expert-selected hackers. I have been part of that community to test different applications and identify vulnerabilities so that companies can get an overview before reaching the job market.
HackerOne has impacted my work through testing other applications. Ethical hackers on the platform can test thoroughly from end to end, providing new features and insights that give companies and products a competitive edge.
For example, Uber Technologies ran a production bug where user data could be accessed by changing the user ID in the API request, allowing receipts to be downloaded for any particular user. This bug was present in production and was not found by others. It prevents data leaks and regulatory fines that would occur if the bug reached the real world, while also protecting customer trust.
How has it helped my organization?
Improvements are visible across internal security testing. Now, 24/7 global ethical hackers testing should be in place to improve the critical vulnerabilities before we reach production. Faster detection and remediation can be accomplished.
What is most valuable?
HackerOne's bug bounty programs are excellent, and penetration testing is also very good. Security testing of any application can be performed before launching a feature.
HackerOne is a very good platform with the trust of different companies including Shopify, PayPal, and Uber. This creates a stronger brand perception and competitive market positioning.
What needs improvement?
HackerOne has trust from companies such as Shopify, PayPal, and Uber, which provides a stronger brand perception and competitive market positioning. However, I reduced my rating by one mark because a proper internal triage team should be in place, not as a replacement for internal security controls.
For how long have I used the solution?
I have been using HackerOne since my college days, for about four years.
What do I think about the stability of the solution?
HackerOne is very stable.
What do I think about the scalability of the solution?
HackerOne is very scalable because we can put bounties for any number of hackers at the same time and test thoroughly. It also grows with the organization's security needs.
How are customer service and support?
We have not faced significant issues requiring customer support, but we did have one experience. HackerOne provides many levels of customer support. We have priority support because we are a higher tier, and with high report volumes, the turnaround time is very good.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We did not use any other solutions before HackerOne. This was our first approach.
How was the initial setup?
We used a subscription for the platform and purchased payouts to the hackers for bounty payments.
What about the implementation team?
The ethical hackers and team members involved in testing will have better outcomes. However, there is no fixed public pricing.
What was our ROI?
We have seen return on investment. There is no upfront licensing price, and costs depend upon the scope, number of assets, team size, and support level.
Which other solutions did I evaluate?
We did not evaluate another option, but we considered Bugcrowd as an alternative. Bugcrowd offers crowd-sourced security testing and bug bounty programs similar to HackerOne.
What other advice do I have?
There was an event related to bug bounty in which I participated. I could find an issue but could not identify the actual root cause. It was from Uber Technologies involving an insecure direct object reference vulnerability. The user ID in an API request allowed access to another user's trip receipts. This was a gift card-related issue. I would rate this review as nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
