In our last articles, “How to Write a Good Report and Use the CVSS Calculator” and “Understanding HackerOne’s Code of Conduct”, we showed why professionalism and great communication is important in order to become successful on the HackerOne platform. In this article, we are going to look at five tips to improve your communication with triage and security teams.
Direct Communication on the Report
As we discussed in “How to write a good report”, it’s very important to write a clear and concise report when submitting a vulnerability to HackerOne. This will help the receiving team to reproduce your submission quickly and will help them understand your submission. However, we understand that some vulnerabilities may be more complex than others, especially since you are communicating in writing (as opposed to a video or phone call where it’s easier to explain things).
First and foremost, always give the triage or security teams enough time to validate or answer any additional questions you may. We typically recommend hackers to take a look at the response efficiency metrics shown on the right hand side of the program’s policy page. This will give you an estimate on how long the team typically takes to get back to a submission. Please do not spam reports for updates within a short period of time. You can always contact Mediation if you do not hear back from a member of the team within a reasonable amount of time.
If you are following up with additional details or have a question for the receiving party, always make sure to tag the user in your comments (@username), so they get a notification that you have asked for their help directly.
As highlighted in our code of conduct, we also recommend to only use official channels, like the submission itself, or the email address (if any), provided within the policy page. This will help the security teams to keep track of their tasks or follow ups and minimizes the number of notifications they need to get back to.
If you are not a native English speaker, try your best to respond to any questions or inquiries the security team may have for you and use tools like Google Translate to make this easier. If all fails, you are always welcome to also comment using your native language in hopes that someone on the receiving side will be able to translate or find someone that could help them, especially since HackerOne and their customers work with the global security community from different countries!
Emphatic Capitalization & Punctuation
Behave professionally (this includes using respectful language on reports, refraining from spamming reports for updates, and avoiding the use of emphatic capitalization & punctuation). For example instead of these:
🚫 Update NOW!!! PLEASE!
🚫 WTF. This sucks.
✅ Would it be possible to get an update please?
✅ I disagree with this. Can you please clarify or have another look?
HackerOne offers mediation to help facilitate any miscommunication, concerns or disagreements between customers and hackers. Before requesting mediation, we highly recommend asking all relevant questions via the submission, to give the security or triage team a chance to explain their thought process. But let’s explore some of these scenarios and how to approach them.
If your submissions severity was changed to a severity that you do not agree with, we recommend to first explain why you had set your severity the way you had it set and explaining your thought process. In this case, using the CVSS calculator and explaining each of your decisions will help the receiving team understand your perspective and may help them reconsider their decision or they may have some insight or additional information you may be missing. For example, help the security team understand why you had selected confidentiality as high rather than low? Why was the attack complexity set to low rather than high? What can be achieved with this vulnerability that may have not been clear via your original CVSS calculation?
Bounty amounts are usually assigned based on the impact and severity of the vulnerability report. If a bounty assigned to your submission doesn’t match what is described in the program’s policy, we recommend asking the security team for additional information to clarify their decision before requesting mediation.
Before asking a program to reevaluate their bounty decision or requesting mediation, consider the following:
- Does the bounty amount match what is described in the program’s policy?
- Have you and the receiving team agreed on the severity of the submission?
- Did you follow the program’s policy and scope before submitting your report?
- Are there any extreme conditions or requirements in order for your proof of concept to be fully exploited?
Last but not least, when responding to a misunderstanding, make sure you assume good intent and trust that the security team is there to help you and they are doing their best to assess and evaluate your submission before requesting mediation, and never take these decisions personally.
HackerOne also offers support for both its customers and hackers around the world. You can always email us directly via firstname.lastname@example.org if you have some questions. This includes any questions in regards to the program, its policy, scope clarification, out of scope assets or vulnerability types, or any additional questions for our triage, program management, and customer teams.