Merge pull request Hacker0x01#438 from whisk3ykilo/program-considerations

martijnrusschen · web-flow · commit 600747c15f83 · 2021-08-12T19:47:30.000+02:00
diff --git a/docs/programs/authenticated-testing.md b/docs/programs/authenticated-testing.md
@@ -0,0 +1,18 @@
+---
+title: "Authenticated Testing"
+path: "/programs/authenticated-testing.html"
+id: "programs/authenticated-testing"
+---
+
+* HackerOne recommends providing credentials and contextual information to hackers wherever possible
+    * HackerOne recommends offering elevated rewards for unauthenticated vulnerability findings
+* The HackerOne platform includes a secure [credential management feature](https://docs.hackerone.com/programs/credential-management.html) that allows customers to quickly upload multiple sets of credentials
+    * Includes the ability to provision multiple roles
+        * Essential for PrivEsc, IDOR, broken authentication, data segregation testing, etc.
+    * Hackers can claim credentials in the platform and immediately proceed with testing
+
+## Enabling Unauthenticated Testing
+
+* Many HackerOne programs are interested in finding unauthenticated vulnerabilities as they can be exceptionally severe
+* HackerOne recommends specifying an elevated reward level for unauthenticated vulnerabilities within either the [bounty table](https://docs.hackerone.com/programs/importance-of-bounty-tables.html) or the policy
+    * Be sure to provide clarity in your policy on what unauthenticated vulnerabilities are eligible for the elevated reward level
diff --git a/docs/programs/good-program.md b/docs/programs/good-program.md
@@ -21,4 +21,4 @@ Set up [bounty tables](bounty-tables.html) as they help hackers to see how much
 ### Tip #5: Keep your policy up-to-date
 Make sure all helpful and important information is written on your [policy](policy-and-scope.html) and that you follow the [best practices for good policies](good-policies.html).
 
-Keep in mind that these short tips don’t guarantee success for your program, but they do help in increasing engagement with hackers. There are a lot of other factors that can affect the success of your program such as the types of assets, the bounty amounts,
+Keep in mind that these short tips don’t guarantee success for your program, but they do help in increasing engagement with hackers. There are a lot of other factors that can affect the success of your program such as the types of assets, the bounty amounts, response time, time to bounty, etc.
diff --git a/docs/programs/scoping-considerations.md b/docs/programs/scoping-considerations.md
@@ -0,0 +1,24 @@
+---
+title: "Scoping Considerations"
+path: "/programs/scoping-considerations.html"
+id: "programs/scoping-considerations"
+---
+
+HackerOne programs perform testing in all different environments. What factors go into deciding which environment or [assets](https://docs.hackerone.com/programs/scope-best-practices.html) are a good fit for the hacker-powered approach? What kinds of "blockers" have the potential to reduce hacker engagement?
+
+Below are some considerations that can help enable testing on more difficult assets.
+
+### Hacker Access
+* Is the environment publicly accessible?
+    * If not, the HackerOne [Gateway VPN](https://docs.hackerone.com/programs/hackerone-vpn.html) may be required
+* Do any self sign-up flows require personal information (PII) from hackers?
+* Are there geo-restrictions in the application to consider? SMS 2FA requirements?
+### Feature Coverage
+* Is a non-prod environment an accurate representation of production?
+    * Is test data representative of production?
+* Are any features that should be tested inaccessible to hackers?
+    * If so, can [identifying hacker traffic](https://docs.hackerone.com/programs/traffic-identification.html) help?
+* Do any features require hackers to spend real money? Could this be avoided or reimbursed?
+### Sensitive Information
+* Does the environment contain sensitive information such as PII or PHI that a hacker could potentially stumble onto?
+* Could hacker testing possibly interfere with other types of testing or activity in the environment?
diff --git a/docs/programs/traffic-identification.md b/docs/programs/traffic-identification.md
@@ -0,0 +1,24 @@
+---
+title: "Traffic Identification"
+path: "/programs/traffic-identification.html"
+id: "programs/traffic-identification"
+---
+
+There are several ways to identify hacker testing traffic at various layers for testing/feature enablement or testing control & monitoring.
+
+### Application Layer: User Allowlisting
+* HackerOne provides each hacker with a forwarding [email address](https://docs.hackerone.com/hackers/hacker-email-alias.html)
+    * This email can be helpful in identifying hacker testing accounts for allowlisting within the application itself
+### Session Layer: HTTP Headers
+* Researchers may add headers to requests such as: “X-HackerOne-Research: [H1 username]”
+### Network Layer: IP Allowlisting
+* HackerOne [Gateway](https://docs.hackerone.com/programs/hackerone-vpn.html)
+    * Hacker traffic will come from a known CIDR block
+    * Hacker VPN traffic can be analyzed for insight into asset testing coverage
+* Personal IP Check-in
+    * Limited to the [H1 Pentest](https://docs.hackerone.com/programs/product-offerings.html) product. Used in lieu of [Gateway](https://docs.hackerone.com/programs/hackerone-vpn.html)
+### "Human Layer": Hacker Vetting & Communication
+* HackerOne [Clear](https://docs.hackerone.com/programs/hackerone-clear.html) researchers
+* Custom alert process for each program
+    * email, phone, [Slack, Teams, PagerDuty, and others](https://docs.hackerone.com/programs/supported-integrations.html)
+    * HackerOne [API](https://api.hackerone.com)
diff --git a/src/pages/programs/programs-nav.yaml b/src/pages/programs/programs-nav.yaml
@@ -22,6 +22,13 @@
       path: /programs/using-markdown.html
     - title: Running a Good Program
       path: /programs/good-program.html
+      items:
+        - title: Authenticated Testing
+          path: /programs/authenticated-testing.html
+        - title: Scoping Considerations
+          path: /programs/scoping-considerations.html
+        - title: Traffic Identification
+          path: /programs/traffic-identification.html
 - title: Your Program
   items:
     - title: Homepage
