Using the platform as a Hacker and having run a time limited private bug bounty program, the features available are extensive. From the perspective of running a private bounty, the most valuable features include:
1. Access to an experienced and effective hacker community with measurable metrics on each. The hackers on the HackerOne platform come with a wide range of skills, with some providing general expertise and others with a broad base of knowledge. This results in reports on vulnerabilities which I had never considered or knew existed while developing my product. Additionally, the metrics help me quickly differentiate the credibility of the reports and how best to triage submissions.
2. Third party integrations, including payment systems and project management tools. HackerOne provides a number of easy to use options for paying hackers which makes it easier to do so, including handling their tax information and saving me the headaches of dealing with those details. Additionally, while I haven't tested it out yet, there is the option to integrate with third party tools like Slack which will help if my dev team grows. I've also spoken with other programs which are using these tools and integrated with private solutions, both of which have helped them manage their programs more effectively.
3. Speed. While they prepare you for it, it's amazing how quickly you get results on the platform. While not all reports result in code changes and some hackers do report invalid issues, once hackers start looking at your program, you quickly have lots to work with.
From the perspective of being a hacker:
1. Direct dialogue with a company helps you better understand their needs and discuss how vulnerabilities can affect their business. This is particularly true of application logic bugs which only a company would have true insight into the potential severity of.
2. HackerOne support is responsive and open. Whether it be opportunities to improve the platform, difficulties communicating with programs or general questions, the team has always been quick to respond and it seems as though everyone is empowered to help you out, having received responses from a wide array of team members listed on their about page (including co-founders).
3. Wide array of programs, including those that can afford bounties / those that can't, healthcare / automotive / security, etc. sectors, code based / web applications / desktop applications, etc., charitable / private / public companies. All of this results in options on how you want to spend your time hacking and potentially give back to the broader community.
Using HackerOne has definitely improved the security of my web application, identifying security gaps I didn't realize as a web developer.
In terms of organization, it has help me streamline my development process and coordinate fixing issues while staying on course with broader development timelines. As mentioned above, it saved me time of having to figure out the logistics of paying researchers, including handling their tax information, etc.
Using HackerOne, I also didn't have to spend time figuring out how to install or integrate anything since the entire platform is offered as an online Software as a Service. As a result, any issues I have with the platform are handled by them, often with a engineering team member following up with me.
