SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
HackerOne unveils sweeping product expansion, including vulnerability ranking table
Tue, 21st Sep 2021
FYI, this story is more than a year old

Cybersecurity platform HackerOne has announced all-new features for its security intelligence services — including a worldwide top 10 ranking table that measures vulnerabilities by risk factor.

HackerOne also unveiled its new CVE Exploitation Index, aimed at providing further insight into exploited vulnerabilities, as well as several updates to its security workflow for large enterprises — including improved access management, control, and improved connectivity with external applications.

“Streamlining vulnerability management programs for customers of all sises has been a key focus for HackerOne since we were founded,” says HackerOne SVP of product Rand Wacker.

“We want hackers to be able to prioritise bug hunting and our customers to gain sophisticated intelligence that, combined, will make a real difference to their security strategies.

“With these updates, we're looking forward to seeing how customers use the valuable data provided by our hackers to inform overall security programs within their organisations.

The Top 10

The HackerOne Top 10 is based on real-world vulnerabilities found by the global hacker community. It is broadly used as a guideline to understand where security teams should prioritise their vulnerability management efforts. It was made to complement the Open Web Application Security Project (OWASP)'s own Top 10 table.

The OWASP table measures within three categories: insecure design, software and data integrity failures, and a group for server-side request forgery (SSRF) attacks. HackerOne adds to this by providing industry-specific data, and aims to give customers better insight into the most impactful weaknesses from a hacker perspective.

CVE Exploitation Index

Whereas a scanner only provides information based on a set algorithm or analyst's estimates, the CVE Exploitation Index delivers a view of which CVEs are most exploitable, based on real-world data from the HackerOne platform.

The data represents which CVEs are being discovered most by hackers. Customers can use the index in conjunction with CISA's list of the top 30 most exploited CVEs to patch the CVEs that put organisations most at risk.

These new vulnerability intelligence capabilities are expected to be available in the HackerOne platform by the end of this year.

Hacker efficiency 

HackerOne's announcement included improvements to bounty table ranges and the bounty calculator in a bid to increase efficiency in hacker workflows and payment transparency.

The new table ranges and calculator allow customers to set bounty ranges, bringing consistency to the way bounties are awarded. This creates more transparency for hackers, increasing trust between organisations and hackers, improving hacker motivation.

Meanwhile, the Hacker API allows hackers to spend more time finding vulnerabilities. The API automates a hacker's workflow by giving them immediate access to program information, provides access to view all vulnerabilities and see report updates, and gives them a way to monitor their earnings and payouts for tax reporting.

Security workflows

HackerOne's security workflows centralise access management, control, and connectivity to external applications in the HackerOne Platform. The new updates include:

  • Organised homepage access — Gain a unified view and easy access to different program sections, such as the security page, settings, reports, and inbox prioritisation, to see the most important reports first.
  • Centralised user management: Add users to the organisational view of your HackerOne experience and centrally manage their access to multiple programs and reports.
  • Enhanced navigation: Access a report's sidebar for the visibility to report and relay information while maintaining easy access to the metadata needed to support security actions. 
  • Improved Jira integration: Obtain connectivity to any number of Jira instances allowing configurable support for different teams and projects, eliminating the need for manual workarounds.