I have projects and companies reaching out to me to conduct security testing and find issues in their systems. I use HackerOne for that purpose.

You can collaborate with anyone who is interested in collaborating with you on a report. You can add them and split the bounty accordingly.

If you have a very critical vulnerability, some good companies will acknowledge it and pay you accordingly based on severity. For one of the vulnerabilities that was very severe, the company acknowledged it and paid me more than $2,000 USD.

Triage response time is a significant issue. Many researchers are now sending reports, but there is considerable delay in responses. For example, I reported something last week that was a critical bug, but I received a reply after a month. During that month, if I had a vulnerability containing confidential customer details, I could use it and publish it on the black market. The response time and triage speed are not fast enough. This is causing many people to leave HackerOne.

Another concern is that many companies delegate their triage part to HackerOne. As a HackerOne triager, something may look like a vulnerability to me, but they can close it as not applicable or anything else. However, when the company checks it themselves, they may find that it actually is a vulnerability. This happened to me before when they rejected a bug, but the company reviewed it and reopened it. There are many unfair things happening. Even though companies trust HackerOne triagers 100 percent, they should not because they leave out many unresolved issues.

I am currently using Intigriti.

HackerOne was down for some time and the response was not good. There have been some issues regarding stability in recent times.

HackerOne is easily scalable.

ROI is based on the time spent and the level of effort you put in. The ROI is very low nowadays. It is only good for some people, particularly big hackers with automation setups. For someone who is starting or in the middle, it is very difficult because you can spend 20 hours sending 20 reports but none of them gets anything. So the ROI is very low for some people and much higher for others.

I prefer Intigriti more than HackerOne because they have very good triagers who listen to you. Their response time is based on the severity. If I file a critical bug, their response time is quite good. The quality of triage is very good and they have very clear policies without anything random.

There are many social platforms where you can find perspectives on addressing vulnerabilities. I give out solutions based on our current technology. HackerOne has their own blogs and partnerships with many vendors, so they publish reports and preventive measures for various things and patches. My overall rating for HackerOne is 6 out of 10.

I am currently using Wiz, a scanning solution for cloud, to see if we are collecting reviews for any of these tools. My company has bought the license for Wiz, and we are using it as consumers.

HackerOne is used for bug bounty management. Whenever outsiders report any public-facing vulnerabilities or faults in our public-facing websites or domains, we receive a notification, validate it, and award bounties accordingly.

The ease of collaboration with ethical hackers on HackerOne has been quite good. From my experience, they respond when we do not have enough information on the findings.

Since starting work with HackerOne six months ago, we had other previous tools as well. HackerOne has been the right fit for our current situation.

The steps to reproduce are valuable aspects of HackerOne, and the AI capabilities have been more useful.

The customizable bounty programs have helped attract high-quality insights for us.

I find the AI and customizable features useful because they help us summarize information from a layman's perspective as well as for a technical person.

One limitation is that if a finding has been reported on HackerOne and was also reported earlier by another user or outsider, the platform is not able to collate that information together. If it is a repeated finding, we are not able to identify it automatically and must do it manually.

When reporting something, the platform should indicate that it was reported in the previous year or on a specific date, which would give us more insight into what action we have taken on that issue.

The reporting side is quite fine because we are using another tool for reporting purposes, so I did not find any issues there since we did not do much exploration on that side.

The ease of collaboration with ethical hackers on HackerOne has been quite good. From my experience, they respond when we do not have enough information on the findings.

Since starting work with HackerOne six months ago, we had other previous tools, though I do not remember their names now. HackerOne has been the right fit for our current situation from both a functionality and cost-effectiveness perspective.

When I took on the bug bounty program, HackerOne was already being used, possibly due to cost considerations or its functionality.

I do have experience with other solutions, but currently I am not using them. I am using some other solutions now. We are exploring additional options but have not yet implemented them. My overall rating for this product is 8 out of 10.

My main use case for HackerOne is mostly for submitting bugs. I get into the programs listed there, find one that is suitable for me, do my penetration testing on the systems, try to bypass some controls, and if I find a bug, I submit it on HackerOne.

A specific example of a bug I found and submitted through HackerOne that stood out to me involves race conditions because they resonate with me as a unique type of bug. If you can submit simultaneous requests to a program or a system and it fails to queue those requests properly, you end up getting the same response for multiple requests, which I find incredible, so I tend to focus on race conditions.

I use HackerOne as an individual, primarily as a side hustle. While I'm working for the organization, I do projects related to it, but in my free time, I get into HackerOne and try to hack other systems that are not related to my organization, helping other organizations enhance their security.

Once I submit any bug on HackerOne and it's verified, a team member from that specific organization fixes the bug. After it has been fixed, I have to retest it, as well as the HackerOne team, to ensure it has been fixed, and then I can confirm it on my end, ultimately making the organization much more secure.

In my experience, the best features HackerOne offers include a simple user interface. When I first got into using HackerOne, I did not have anyone to guide me, so I just registered, logged in, and quickly figured out how to filter the scope, filter organizations, and choose which system to try and hack. It has a very simple user interface, and it gives you a quick response—if you submit a bug, someone reaches out to you within minutes, telling you they will verify the bug, and it can be verified in just a few days, sometimes even less than a day, which stands out for me.

The fast verification process impacts my motivation significantly because a quick response keeps me motivated. I feel that having someone respond in minutes is encouraging, and if I'm going to try and hunt bugs today, I would appreciate a response within the day or at least within a few days. Some programs take long to respond, and then you lose motivation; so for me, the quick responses motivate me to continue submitting bugs.

I also appreciate the ability to filter programs on HackerOne. I like to focus on web applications, so when I log in and look at the available programs, I can filter specifically for ones related to domains, making it much easier compared to sifting through all programs to find domain-related ones or web, API, etc.

I think HackerOne can be improved by allowing new users to gain access to certain programs that are only open to known, renowned users. Sometimes new users don't receive invites just because they are new, despite potentially being very skilled hackers, so I feel new users should get more chances and opportunities.

I am currently satisfied with the rewards, response time, and other aspects of the platform, so I don't have anything else to add about the necessary improvements.

I give HackerOne a nine out of ten because if new hackers are given more opportunities, it could be a perfect 10 for me. However, the reason I gave a nine is that I don't have much to complain about; I specifically love the program and don't have many concerns.

I have been working in my current field since 2020, so by the end of this year, I'll be clocking six years.

HackerOne is stable for me; I have no complaints regarding uptime or reliability.

HackerOne's scalability works well, as it can handle a growing number of users or submissions smoothly.

I've never had to reach out to customer support, so I don't have any comments on that experience.

I have not used any other solution for bug bounty or vulnerability submissions; just HackerOne.

I have not experienced any costs since I use HackerOne independently, just logging into the site, hunting bugs, and submitting them without any expenses.

Before choosing HackerOne, I evaluated other options like Yes We Hack and Bugcrowd.

I would highly advise others looking into using HackerOne to start using it for the great experience, great response time, and good rewards; I would highly recommend it. My company does not have any business relationship with HackerOne other than being a customer. I was offered a gift card or incentive for this review. The review rating is 9 out of 10.

My use case is similar to DuckTron. The processes I use for DuckTron are exactly the same for HackerOne. Therefore, there isn't much of a difference. I use HackerOne for finding vulnerabilities and reporting them, then receiving rewards akin to a bug bounty program.

Within my organization, HackerOne is used for vulnerability coordination through its user interface, which lists programs and websites for reporting vulnerabilities.

HackerOne is larger than WebCloud and has a better reputation than BugCloud, which results in a smoother process. Both platforms are similar in using their interfaces to list programs and facilitate reporting vulnerabilities, whether public or private.

Everything has become slower on HackerOne. I have noticed that older researchers receive all the private invites while newer ones receive fewer. The same goes for real-life events, where the same people are invited repeatedly. There are no clear guidelines for being invited to programs and conferences, and the process for receiving invitations appears arbitrary.

I have used it for the same duration as other cloud services.

I have never faced any stability issues on HackerOne for the past four years. Everything was always completely smooth.

HackerOne has high scalability. It is a large platform with many programs and clients, so I would rate it a nine out of ten.

Technical support at HackerOne has slowed down considerably compared to four years ago. Previously, the support was quicker and more detailed, which is not the case now.

I have tried Integrity and reported vulnerabilities there, and I have tried SVHack. However, I spend 90% of my time on HackerOne.

The initial setup is simple and straightforward, which I would rate a nine out of ten. I have never faced any difficulties during this process.

HackerOne is free of cost for us. We receive rewards without needing to invest any money, so the return on investment is substantial.

The cost is rated as one since there is no need to pay anything, not even a fee or commission.

I have tried other platforms like Integrity and YesLack, however, I focus most of my time on HackerOne.

I rate HackerOne a nine out of ten.

It is slightly better than BugCloud. While some aspects have slowed down, HackerOne is still a strong platform for enhancing skills and offers an excellent initial setup. They should improve their invitation process.