This week HackerOne, who I have been working with recently, landed Report Templates.
In a nutshell, a report template is a configurable chunk of text that can be pre-loaded into the vulnerability submission form instead of a blank white box. For example:
The goal of a report template is two-fold. Firstly, it helps security teams to think about what specific pieces of information they require in a vulnerability report. Secondly, it provides a useful way of ensuring a hacker provides all of these different pieces of information when they submit a report.
While a simple feature, this should improve the overall quality of reports submitted to HackerOne customers, improve the success of hackers by ensuring their vulnerability reports match the needs of their security teams, and result in overall better quality engagement in the platform.
Similar kinds of templates can be seen in platforms such as Discourse, GitLab, GitHub, and elsewhere. While a simple feature, there are some subtle underlying psychological components that I thought could be interesting to share.
The Psychology Behind the Template
When I started working with HackerOne the first piece of work I did was to (a) understand the needs/concerns of hackers and customers and then based on this, (b) perform a rigorous assessment of the typical community workflow to ensure that it mapped to these requirements. My view is simple: if you don’t have simple and effective workflow, it doesn’t matter how much outreach you do, people will get confused and give up.
This view fits into a wider narrative that has accompanied my work over the years that at the core of great community leadership is intentionally influencing the behavior we want to see in our community participants.
When I started talking to the HackerOne team about Report Templates (an idea that had already been bounced around), building this intentional influence was my core strategic goal. Customers on HackerOne clearly want high quality reports. Low quality reports suck up their team’s time, compromise the value of the platform, and divert resources from other areas. Similarly, hackers should be set up for success. A core metric for a hacker is Signal, and signal threshold is a metric for many of the private programs that operate on HackerOne.
In my mind Report Templates were a logical areas to focus on for a few reasons.
Firstly, as with almost everything in life, the root of most problems are misaligned expectations. Think about spats with your boss/spouse, frustrations with your cable company, and other annoyances as as examples of this.
A template provides an explicit tool for the security team to state exactly what they need. This reduces ambiguity, which in turn reduces uncertainty, which has proven to be a psychological blocker, and particularly dangerous on communities.
There has also been some interesting research into temptation and one of the findings has been that people often make irrational choices when they are in a state of temptation or arousal. Thus, when people are in a state of temptation, it is critical for us to build systems that can responsibility deliver positive results for them. Otherwise, people feel tempted, initiate an action, do not receive the rewards they expected (e.g. validation/money in this case), and then feel discomfort at the outcome.
Every platform plays to this temptation desire. Whether it is being tempted to buy something on Amazon, temptation to download and try a new version of Ubuntu, temptation to respond to that annoying political post from your Aunt on Facebook, or a temptation to submit a vulnerability report in HackerOne, we need to make sure the results of the action, at this most delicate moment, are indeed positive.
Report Templates (or Issue/Post Templates in other platforms) play this important role. They are triggered at the moment the user decides to act. If we simply give the user a blank white box to type into, we run the risk of that temptation not resulting in said suitable reward. Thus, the Report Template greases the wheels, particularly within the expectations-setting piece I outlined above.
Finally, and as relates to temptation, I have become a strong believer in influencing behavioral patterns at the point of action. In other words, when someone decides to do something, it is better to tune that moment to influence the behavior you want rather than try to prime people to make a sensible decision before they do so.
In the Report Templates example, we could have alternatively written oodles and oodles of documentation, provided training, delivered webinars/seminars and other content to encourage hackers to write great reports. There is though no guarantee that this would have influenced their behavior. With a Report Template though, because it is presented at the point of action (and temptation) it means that we can influence the right kind of behavior at the right time. This generally delivers better results.
This is why I love what I do for a living. There are so many fascinating underlying attributes, patterns, and factors that we can learn from and harness. When we do it well, we create rewarding, successful, impactful communities. While the Report Templates feature may be a small piece of this jigsaw, it, combined with similar efforts can join together to create a pretty rewarding picture.
