ARTICLE

HackerOne Professional, Free for Open Source Projects

by | Thu 9 Feb 2017

For some time now I have been working with HackerOne to help them shape and grow their hacker community. It has been a pleasure working with the team: they are doing great work, have fantastic leadership (including my friend, Mårten Mickos), are seeing consistent growth, and recently closed a $40 million round of funding. It is all systems go.

For those of you unfamiliar with HackerOne, they provide a powerful vulnerability coordination platform and a global community of hackers. Put simply, a company or project (such as Starbucks, Uber, GitHub, the US Army, etc) invite hackers to hack their products/services to find security issues, and HackerOne provides a platform for the submission, coordination, dupe detection, and triage of these issues, and other related functionality.

You can think of HackerOne in two pieces: a powerful platform for managing security vulnerabilities and a global community of hackers who use the platform to make the Internet safer and in many cases, make money. This effectively crowd-sources security using the same “with enough eyeballs are shallow” principle in open source: with enough eyeballs all security issues are shallow too.

HackerOne and Open Source

HackerOne unsurprisingly are big fans of open source. The CEO, Mårten Mickos, has led a number of successful open source companies including MySQL and Eucalyptus. The platform itself is built on top of chunks of open source, and HackerOne is a key participant in the Internet Bug Bounty program that helps to ensure core pieces of technology that power the Internet are kept secure.

One of the goals I have had in my work with HackerOne is to build an even closer bridge between HackerOne and the open source community. I am delighted to share the next iteration of this.

HackerOne for Open Source Projects

While not formally announced yet (this is coming soon), I am pleased to share the availability of HackerOne Community Edition.

Put simply, HackerOne is providing their HackerOne Professional service for free to open source projects.

This provides features such as a security page, vulnerability submission/coordination, duplicate detection, hacker reputation, a comprehensive API, analytics, CVEs, and more.

This not only provides a great platform for open source projects to gather vulnerability report and manage them, but also opens your project up to thousands of security researchers who can help identify security issues and make your code more secure.

Which projects are eligible?

To be eligible for this free service projects need to meet the following criteria:

  1. Open Source projects – projects in scope must only be Open Source projects that are covered by an OSI license.
  2. Be ready – projects must be active and at least 3 months old (age is defined by shipped releases/code contributions).
  3. Create a policy – you add a SECURITY.md in your project root that provides details for how to submit vulnerabilities (example).
  4. Advertise your program – display a link to your HackerOne profile from either the primary or secondary navigation on your project’s website.
  5. Be active – you maintain an initial response to new reports of less than a week.

If you meet these criteria and would like to apply, just see the HackerOne Community Edition page and click the button to apply.

Of course, let me know if you have any questions!

An invitation-only accelerator that develops industry-leading community engagement and growth via personalized training, coaching, and accountability...all tailored to your company's needs.

Want to read some more?

The Unsung Hero: Open Source Community Manager

The Unsung Hero: Open Source Community Manager

Open source projects are the backbone of tech innovation. But it’s not just about the code. The real game-changer is often someone behind the scenes: the Open Source Community Manager. Let’s dive into what they do and why they’re essential. What is an Open Source...

Boost Online Community Growth with the Bucket Strategy

Boost Online Community Growth with the Bucket Strategy

Are you a community manager, community advocate, or developer relations (Dev Rel) professional struggling to come up with creative social media ideas? Effective community management involves consistently generating engaging social media content, but with a million...

Community Strategy & Management with CRM Tools

Community Strategy & Management with CRM Tools

I once sat down with a fellow community manager who told me, "The tools you use can make or break your community strategy." And she was spot on. Community management isn't just a buzzword; it's an art form that requires the right blend of technology, strategy, and...

Decoding Community Metrics: Data-Driven Growth Strategies

Decoding Community Metrics: Data-Driven Growth Strategies

In the bustling tech landscape, where buzzwords flutter like a swarm of bees, a few terms stand out not just for their buzz but for their genuine impact: "Community Metrics" tops that list. But why zero in on these metrics? They're the compass that guides your...