title: "Pentest Overview"

path: "/programs/pentests.html"

id: "programs/pentests"

In a penetration test (pentest), authorized hackers simulate a cyberattack on a specific application to test how secure the application is. HackerOne pentests are performed by select hackers with skills and experience from the HackerOne community that best match your applications in scope.

Hackers wanting to participate in pentests will need to apply to be pentesters through which HackerOne will review all applicants and decide which hackers meet the criteria to join the pentest community. Hackers that are a part of the pentest community will then be able to view available pentest opportunities from programs offering pentests. In order to participate in a pentest, hackers will need to apply to the specific pentest through which HackerOne will form a pentest team, which consists of 3 pentesters and 1 pentest lead.

Once the pentest team is formed, pentesters will have 33 hours to complete the pentest. After testing, the lead pentester will draft and submit a summary report of their findings.

Once the feature has been enabled for your program, to set up your pentests:

1. Go to the **Pentests** tab on your program page.

2. Click **Create pentest**.

3. Fill out these pentest details:

Field | Details

----- | --------

Name | The name of the pentest.

Industry | Select the industry the pentest is associated with.

Description | The description of the pentest.

Visibility | You can choose to have your pentest be: <li>Visible in the directory<li>Not visible in the directory <br><br> Pentesters won’t be able to see and apply to your pentest until it’s visible in the directory.

Slack workspace URL | Enter your slack workspace URL that’ll click a link to your pentest, and it’ll direct them to slack where they can be directed to. <br><br>You can leave this field empty so that no links will be shown to the pentesters.

4. Set the schedule for your pentest with these fields:

Field | Details

----- | -------

Scheduled dates | Choose the dates you want the pentest to begin and end.

Timezone | The timezone you want the pentest to begin at.

5. Set the contract for your pentest with these fields:

Field | Details

----- | -------

Hour cap (per pentester) | Set the maximum hour cap for every pentester. Each pentester’s hours are capped to prevent pentesters from taking advantage.

Lead pentester reward | Set the amount you want the lead pentester to receive.

Non-lead pentester reward | Set the reward amount for the non-lead pentester reward.

6. Click **Go to next step**.

7. Click **Create asset** to add assets to your pentest scope.

8. Select **+Add to scope** for the assets you want to add to your pentest scope in the **Add assets to pentest scope section**.

9. Select a **Preferred Methodology** for each asset. The methodology you choose will apply the appropriate pentest check for the asset. You can choose from:

* HackerOne Web Security Checklist

* HackerOne iOS Security Checklist

* HackerOne Android Security Checklist

* HackerOne Executable Security Checklist

10. Click **Save changes**.

Your new pentest will be listed on the **Pentests** tab of your security page.

To edit or view your pentests:

1. Go to your program security page.

2. Click on the **Pentests** tab.

3. Select the pentest you want to view. The pentests can be in these different states:

State | Details

----- | -------

Draft | The pentest is not live and is still being written up.

Scheduled | The team is selected and the pentest is scheduled to start.

Running | Pentesters are actively working on the pentest.

Report due | The testing window has finished but the report is not completed yet.

Completed | A summary report has been submitted and the pentest is finished.

Archived | A past pentest that’s no longer active.

4. Click **Edit pentest**.

- title: Pentests

items:

- title: Pentest Overview

path: /programs/pentests.html

- title: Slack Shared Channels