Platform changelog

For Companies & Researchers 

Introducing required skills for assets to attract targeted researchers 

What we did: We introduced a "Required Skills" feature for program assets. Companies can now tag each of their assets with specific technical skills (e.g., Web Hacking, Mobile Hacking, API, etc.). Researchers can see these skill requirements on program pages, filter for programs by skill, and get recommendations based on the skills listed in their profile. 

Why we did it: To help companies attract the right talent, we needed a way for them to specify the expertise required to test their assets. At the same time, researchers wanted to find programs that matched their specific skillsets more efficiently. This feature bridges that gap. 

Who it helps: 

• Companies: Attract researchers with the most relevant skills for their assets, leading to more targeted and valuable vulnerability submissions. 

• Researchers: Easily find programs and assets that match their specific hacking skills and receive personalized recommendations for relevant programs. 

For Companies  

AI-Generated submission summaries for faster validation 

What we did: We've introduced AI-generated summaries for vulnerability submissions. This feature automatically analyzes submission data to produce a concise overview. Company users can read, like, dislike (with an option to provide feedback), and regenerate these summaries. 

Why we did it: To shorten the feedback loop to hackers, assist security teams reduce manual effort and time spent on reviewing detailed submissions, extract key insights faster, and facilitate clearer communication of vulnerabilities to internal stakeholders. This enables a quicker understanding and prioritization of reported issues. 

Who it helps: This feature is designed for security analysts responsible for reviewing and prioritizing vulnerability submissions, as well as security team members tasked with communicating those findings to internal stakeholders across engineering, IT, and leadership teams. 

Read more about AI-generated submission summaries here

For Companies 

Vulnerability Assessment with CVSS 4.0 Calculator 

What we did: We have integrated the CVSS 4.0 calculator into our platform, allowing companies to opt for this advanced vulnerability scoring system as an alternative to the existing CVSS 3.1 model. This setting can be configured at the company level via Admin settings and will apply to all future submissions. 

Why we did it: To provide our customers with a more precise, granular, and comprehensive method for assessing vulnerabilities. CVSS 4.0 offers improved alignment with real-world risk, addressing feedback from customers who require greater accuracy for their evolving security needs and risk management strategies. 

Who it helps: This feature benefits companies by enabling more accurate vulnerability evaluations, leading to better-informed remediation prioritization and resource allocation. It also fosters fairer assessments for researchers and enhances transparency in the evaluation process, reducing ambiguity and potential disputes. 

Read more about using the CVSS 4.0 calculator here 

For Companies  

Introducing asset management  

What we did: We have transitioned asset management from the program level to the company level, creating a centralized repository of unique company assets. Existing program domains have been migrated to this new company list, and duplicate domains (those with identical names and types) have been merged into single, unique entries.  

Company Admins can now create, edit (changes apply across all programs using the asset), and archive/unarchive assets centrally.  

Why we did it: The previous lack of a centralized asset list created operational inefficiencies, hindered accurate reporting (like submissions per asset or vulnerability trends), prevented a clear view of the attack surface, and blocked effective matching of researchers to relevant assets. This foundational change establishes a single source of truth for assets, improving data structure and resolving these limitations. 

Who it helps: This provides companies with a streamlined and unified way to manage their assets, reducing errors and inconsistencies. It creates a robust data foundation essential for future capabilities, such as detailed asset-level reporting, enhanced attack surface insights, and more effective matching of researchers to assets aligning with their skills and interests. Ultimately, it improves data quality and scalability for the entire platform. 

Read more about managing company assets here. 

Companies & Researchers 

'Informative' submission close Reason changed to neutral  

• What we did: Updated the 'Informative' submission close reason from positive to neutral. This change applies only to submissions closed from this date forward. Consequently, 'Informative' submissions will no longer impact validity ratios or program contributor status. 

• Why we did it: To ensure researcher validity ratios accurately reflect impactful contributions, enhance the fairness of evaluations, and address specific customer feedback requesting a neutral option. 

• Who it helps: This provides companies with a more accurate and reliable way to evaluate researcher performance based on impactful findings. It helps researchers by ensuring their statistics and reputation genuinely reflect the value they deliver through actionable vulnerability reports. 

Read more about submission close reasons here

Researchers 

Industry discovery feature 

• What we did: We added industry information tags to programs and specific skill tags to assets. 

• Why we did it: Offer researchers a more personalized guidance towards relevant opportunities right from the start. 

• Who it helps: This helps new and existing researchers find programs and assets matching their interests and expertise more easily, leading to increased activity and a better platform experience. Ultimately, this benefits companies by engaging a wider pool of relevant researcher talent. 

Companies

Updates to the LoA and Pentest Report

We've updated the Letter of Attestation (LoA) and Pentest Report exports. For completed comprehensive pentests, we've added pentest checklist items to the reports.

Advanced Search on Submission

Overview You can now refine your searches on the submission overview. When using the text search, you can choose specific fields within a submission to search (e.g., Title, Internal Reference, Submission Code), making it easier to find the submissions you need.

Companies

Custom Bounties in the Company API For larger customers using our Company External API, you can now override the standard bounty amount and award custom bounties when accepting submissions, offering you more flexibility in rewarding researchers over API.

Addition of a 4th and 5th Bounty Tier We've added two new bounty tiers to provide you with more flexibility in customizing your program rewards based on the importance, complexity, and maturity of your assets. More details about bounty tiers can be found in our Knowledge Base.

Pentesting Checklists You can now request researchers to complete a web application testing checklist when they perform a pentest for your program. This will help ensure a more structured testing process.

Improvements to Credentials Upload We've improved the credentials upload functionality to ensure that the order of credentials you provide is maintained within the platform.

Researchers

Enhanced Onboarding Experience New researchers joining the platform will now go through an onboarding process. This will allow them to provide more information about their skills and preferences, helping them personalize their experience on the platform.

Improvements to Markdown Editor We've introduced some minor improvements to our Markdown editor, which you use for submitting and discussing vulnerabilities, to make your experience even more seamless.

Researchers

Engagement Logs

We've added a new feature that allows you to share data on the amount of time you spend hunting on the domains of a program. By submitting engagement logs, you'll be able to see insights into where other researchers have been focusing their efforts. Please note that we are currently in the data-gathering phase for this feature.

Full-Screen Inline Images

You can now click on images within the platform to open them in full-screen mode for easier viewing.

Companies

Program Budget Notifications

Company admins can now configure a budget threshold to receive notifications when their program budget falls below a specified limit. This feature is perfect for companies seeking an early warning before their program risks automatic suspension. More details about the low-budget notifications are available in the Knowledge Base.

Delete Hybrid Program Drafts

Admins can now delete drafts of hybrid programs, just as they can for bug bounty drafts. While launching programs is always our goal , this update helps maintain a clean platform by allowing the removal of unneeded or mistakenly created drafts.