Overview

HackerOne provides a platform designed for organizations to engage with a global community of ethical hackers. The service facilitates various security testing initiatives, including bug bounty programs, vulnerability disclosure programs (VDPs), and penetration testing as a service (PTaaS). Organizations utilize HackerOne to identify and remediate security vulnerabilities in their software, web applications, and infrastructure before they can be exploited by malicious actors. The platform serves enterprises looking for continuous security validation and a scalable method to manage their attack surface.

The core offering revolves around connecting companies with security researchers who report vulnerabilities in exchange for bounties or recognition. This approach allows for continuous security testing, often complementing traditional security audits and internal security teams. HackerOne supports different program types, from private invitations to public bug bounties, enabling organizations to tailor their engagement based on their risk posture and maturity. The platform also includes tools for vulnerability management, report triaging, and communication between organizations and hackers. Its compliance certifications, including SOC 2 Type II, ISO 27001, and GDPR, address common enterprise requirements for data security and privacy.

For developers and security teams, HackerOne offers APIs that enable integration with existing CI/CD pipelines, ticketing systems, and security information and event management (SIEM) tools. This programmatic access allows for automating vulnerability reporting workflows and incorporating external security findings directly into development processes. The platform is often chosen by organizations that require broad, continuous security coverage and prefer to leverage the diverse skill sets of a global hacker community rather than relying solely on internal teams or periodic, fixed-scope penetration tests. It aims to accelerate the discovery and resolution of security issues, helping maintain a stronger security posture against evolving threats.

Key features

  • Bug Bounty Programs: Facilitates the creation and management of programs where ethical hackers are invited to find and report vulnerabilities in exchange for monetary rewards.
  • Vulnerability Disclosure Programs (VDPs): Provides a structured channel for security researchers to responsibly disclose vulnerabilities to organizations without financial incentives, focusing on remediation and recognition.
  • Attack Surface Management: Tools to help organizations discover and monitor their external-facing digital assets, identifying potential targets for security testing.
  • Pentest as a Service (PTaaS): Offers on-demand penetration testing by skilled hackers, providing a more continuous and flexible alternative to traditional, time-boxed penetration tests.
  • Security Assessments: Provides various types of security evaluations, including web application testing, API testing, and mobile application testing, conducted by the hacker community.
  • Vulnerability Management Platform: Centralized system for receiving, triaging, and managing vulnerability reports, including communication tools and workflow automation.
  • API Integration: Programmatic access to manage vulnerabilities, reports, and hacker interactions, enabling integration with existing security and development tools.

Pricing

HackerOne offers custom enterprise pricing, which typically varies based on the scope of the programs, the types of services utilized (e.g., bug bounties, VDPs, PTaaS), and the level of support required. Specific pricing details are not publicly listed and require direct consultation with their sales team.

Program Type / Service Details Pricing Model
Bug Bounty Programs Managed or self-service programs for continuous vulnerability discovery. Custom enterprise pricing, typically based on program scope and bounty payouts.
Vulnerability Disclosure Programs (VDPs) Structured process for responsible vulnerability reporting. Custom enterprise pricing, often subscription-based.
Pentest as a Service (PTaaS) On-demand penetration testing by ethical hackers. Custom enterprise pricing, based on test scope and duration.
Attack Surface Management Discovery and monitoring of internet-facing assets. Included in broader packages or custom pricing.

Pricing as of May 2026. For detailed pricing, refer to the HackerOne pricing page.

Common integrations

Alternatives

  • Bugcrowd: Offers a crowdsourced security platform with bug bounty programs, vulnerability disclosure, and penetration testing, similar to HackerOne.
  • Synack: Provides on-demand security testing and continuous vulnerability management through a global community of trusted ethical hackers, often emphasizing a more curated hacker experience.
  • Intigriti: A European-based bug bounty platform connecting companies with ethical hackers for vulnerability discovery and penetration testing.
  • CyberArk: While not a direct bug bounty platform, CyberArk offers privileged access management and identity security solutions that address different aspects of an organization's overall security posture, sometimes complementing external testing efforts.
  • Internal Security Teams: For organizations with sufficient internal resources, maintaining an in-house security team for penetration testing, code review, and vulnerability management can be an alternative to crowdsourced platforms.

Getting started

To get started with HackerOne, organizations typically begin by defining the scope of their security program and then launching a private or public bug bounty or VDP. The platform provides a user interface for program setup and management. For developers looking to integrate HackerOne into their existing workflows, the API is a primary method. Below is an example of how one might use a hypothetical Python SDK to report a vulnerability, illustrating the programmatic interaction possible with the platform.

import os
import requests # Assuming a requests-like library for API interaction

# This is a conceptual example. Actual API interaction will depend on HackerOne's SDK/API structure.
# Replace with your actual API endpoint and token.
HACKERONE_API_BASE_URL = os.environ.get("HACKERONE_API_BASE_URL", "https://api.hackerone.com/v1/reports")
HACKERONE_API_TOKEN = os.environ.get("HACKERONE_API_TOKEN")

def report_vulnerability(
    program_id: str,
    title: str,
    description: str,
    severity: str,
    asset: str,
    cvss_score: float = None
):
    """
    Submits a new vulnerability report to HackerOne via API.
    """
    if not HACKERONE_API_TOKEN:
        print("Error: HACKERONE_API_TOKEN not set.")
        return None

    headers = {
        "Authorization": f"Token {HACKERONE_API_TOKEN}",
        "Content-Type": "application/json",
        "Accept": "application/json"
    }

    payload = {
        "data": {
            "type": "report",
            "attributes": {
                "title": title,
                "description": description,
                "severity_rating": severity,
                "vulnerability_information": {
                    "asset": asset,
                    "cvss_score": cvss_score
                }
            },
            "relationships": {
                "program": {
                    "data": {
                        "type": "program",
                        "id": program_id
                    }
                }
            }
        }
    }

    try:
        response = requests.post(HACKERONE_API_BASE_URL, headers=headers, json=payload)
        response.raise_for_status()  # Raise an HTTPError for bad responses (4xx or 5xx)
        print("Vulnerability report submitted successfully!")
        return response.json()
    except requests.exceptions.HTTPError as err:
        print(f"HTTP error occurred: {err}")
        print(f"Response: {response.text}")
    except Exception as err:
        print(f"An error occurred: {err}")
    return None

# Example usage:
if __name__ == "__main__":
    # Replace with your actual program ID and vulnerability details
    my_program_id = "your_hackerone_program_id"
    report_title = "XSS Vulnerability in User Profile Page"
    report_description = "A reflected XSS vulnerability was found in the user profile page parameter 'name'."
    report_severity = "high"
    affected_asset = "https://example.com/profile?name=test"
    cvss = 7.5

    # Make sure to set HACKERONE_API_TOKEN and HACKERONE_API_BASE_URL environment variables
    # before running this script, or replace with your actual values.
    if all([HACKERONE_API_TOKEN, HACKERONE_API_BASE_URL]):
        submission_result = report_vulnerability(
            my_program_id, report_title, report_description, report_severity, affected_asset, cvss
        )
        if submission_result:
            print(f"Report ID: {submission_result.get('data', {}).get('id')}")
    else:
        print("Please set the HACKERONE_API_TOKEN and HACKERONE_API_BASE_URL environment variables.")

This Python snippet demonstrates a conceptual interaction with a HackerOne-like API to submit a vulnerability report. In a real-world scenario, you would refer to the official HackerOne API documentation for exact endpoints, authentication methods, and payload structures. Organizations can sign up directly on the HackerOne website to begin setting up their first program, whether it's a simple VDP or a full-scale bug bounty program.