Can pentesters test for apps that require specialization? | It depends on the specialization you’re looking for. We have pentesters with experience in web, mobile, API and external network/infra testing. As part of the pentest process, we ask customers to go through a scoping questionnaire to help inform our team on specific testing requirements.

We want to avoid the possibility of finding a high number of vulnerabilities that could cause our bounty pool to balloon. What can we do to avoid that? | The HackerOne Pentest is set at a fixed cost. Given there are no bounties, and pentesters are compensated for their effort and time, the total cost is 100% fixed and predictable.

Is retesting included? How much is it to add? | There is a 60-day window to initiate 2 retests per report at no additional cost. Retesting is handled by the pentest team to ensure accuracy and consistency.

We're looking for something that indicates that we had the assessment done and the status of the application at the end of the assessment retest period, without the detail for issues that were identified and corrected. Can you produce an abridged version with that information? | Yes, we offer a letter of attestation for our pentest assessments.

I’m frustrated with traditional pentest firms including out-of-scope or insignificant vulnerabilities in reports. We have to explain these to customers and leadership all the time. Will the HackerOne pentest be different? | Pentesters look for coverage of the scope rather than just focusing on impactful vulnerabilities as in a bug bounty program. Pentest best practices call for low and informative vulnerabilities to be reported. OWASP guidelines are followed by pentesters in web and mobile applications. <br><br>HackerOne’s bug bounty offerings may be more suitable for you if your priority is to find the most impactful and critical bugs.

* HackerOne Pentests



1. Click the Join Now button in your Slack invitation email.