HackerOne will NEVER threaten you or do anything to reduce your security. You can safely ignore our sales emails if that's what you want to do. We are just trying to be helpful.
But we do have the absolutely best set of programs for companies of all stripes. To start with, you can open a vulnerability disclosure program that costs you nothing. It will allow hackers to submit vulnerability reports to you. We run numerous programs of this type for startups and other companies.
Our mission is to empower the world to build a safer internet. That's it.
Thank you so much Marten for your direct response!
I'm sorry if my post came out as at all harsh. I respect what you guys are doing. I just had those honest reactions to the communication I got.
Maybe putting some general pointers on getting started in emails like this for really small companies would come across as a bit less threatening? That way, you can be the guide early on, then we can become partners later when we have the scale.
Generally in the world of bug bounty programs, the signal-to-noise ratio (SNR) is around 10-20%.
Even at this low rate, it is not too bad. Let's say you receive 10 reports. You can relatively quickly identify the 8-9 noisy reports to find the 1-2 valid ones. Of course, a higher SNR is always better. It saves you time and effort.
On HackerOne, the average SNR across all programs is over 30%. The platform can automatically filter out certain reports that are duplicates or out of scope.
The platform maintains an average signal rating for each hacker (aka security researcher). Companies can limit access to their programs to hackers with a certain signal or higher. This will significantly increase SNR for the program.
Companies can also opt for a HackerOne program with triage included, in which case the SNR rises close to 100%.
> The platform maintains an average signal rating for each hacker (aka security researcher). Companies can limit access to their programs to hackers with a certain signal or higher. This will significantly increase SNR for the program.
So if a new user of the platform, finds a valid or high impact bug, will be unable to report... less noise but a high value bug unreported in that case...
Thanks tetrep. I agree with your statement "would be a good time for HackerOne to write this stuff down".
We just discussed it this morning internally. If you have suggestions on how to formulate such a policy, please email me at marten@hackerone.com.
Thinking out loud, HackerOne stands for and supports the security and integrity of every piece of software code, for transparency and openness, for the sovereignty of each human being connected online, and for fair and equitable principles for all online activity. And probably some other aspects that I didn't think of this exact second.
Don't get suckered into trying to write a 'clear set of guidelines' or a 'comprehensive community policy' or whatever they want to call it. 10 times out of 10, the people asking for such things are either looking to pin you on your own texts through language lawyering or are incapable of independent thought - not the sort of people you want to deal with anyway. The whole faux 'justice' (of this sort) rhetoric is just that - the upholding of an illusion of 'fairness', where that 'fairness' is a juvenile understanding of 'equal treatment no matter what', just like those who think that majority decisions are always right because they're 'democratic'.
The correct response is that of when people tried this trick on the SCOTUS when they asked it 'what is porn'. There, and here, the correct answer is: "I can't define it, but I recognize it when I see it." This of course is a deeply unsatisfying answer to people who can't (or won't) think for themselves, and doubly so for the aspi types that inhabit the interwebs in disproportionate numbers.
The safest and most convenient way of hiring a white hat hacker (a.k.a. ethical hacker) is to run a bug bounty program and get the input of many of them.
