HackerOne vs. Pentest-Tools.com

It is one of the good platforms for security researchers to submit bugs and other vulnerabilities, it however, has some challenges, in terms of un-verified and duplicate submissions.

Incentivized

This website is well suited for organisations that perform regular security assessments. In particular, external scans and reconnaissance. As an example, I am able to run a report on our Wordpress website to enable me to see whether we are missing any important security updates. We found it to be very useful for training new security analysts, due to the straightforward GUI. You can work on the same projects together to help you to do this. Having it laid out in front of them helps them to understand the concepts much easier than using dozens of different tools to achieve the same goals, and also speeds up training. If you're a personal user it may not be appropriate due to price. If you are a personal user, I would advise using the many open source tools there are that do the same things. The strength of this platform is that it combines them into a single pane of glass, but you can achieve the same things with other tools if necessary. For example, there are many other tools that you could use to run a UDP port scan that do not cost money (EG NMAP)

Incentivized

• Filter for spammy bug reports
• Nice central interface
• Payment/reward system is nice

Incentivized

• Cheaper than some other platforms
• Good support
• Cloud based
• Integrates well with identity providers

Incentivized

• A lot of duplicate bugs get reported, although it does offer automatic suggestion of previously reported bugs that may be duplicates, it is far from perfect.
• Anyone can report bugs, a lot of them are not verified before submission. This sometimes leads to a lot of time spent in verifying if the bug is really actionable.
• Each submission has to be treated with equal potential, a lot of time, some time gets invested in vulnerabilities that aren't as important as some others.

Incentivized

• No logging for things like scanning. This means you don't actually know when the scan has failed if you're not immediately on the ball.
• Reports could look better. It would be good to be able to customise the report with some different styles to suit your company's branding.
• Could have better tutorials.
• It may be useful to have a feature similar to Microsoft Secure Score, which compares your organisation to similar ones, so that you have a reference of how secure your environment actually is.

Incentivized

These were very close and we liked HackerOne better. For a time we did have both and we felt the need to consolidate the information into one platform and end of life our internal offering. Overall we've been fairly happy with HackerOne.

Incentivized

Offers a great number of tools in one interface, giving you a single pane of glass to work from. Therefore, it's favourable compared to some of these other products, that do similar things but are less intuitive and less easy to use. This makes it not only easier to use, but easier to report results to your customers. Also, although the price point can seem high, once you start adding multiple paid tools that do the same job, there probably isn't a massive amount of difference (if any)

Incentivized

• Bugs that can't be tracked internally are submitted by external researchers, which is an important factor for security vulnerabilities.
• Even if the bugs reported are duplicates, there still is provision to award reputation points, that keep the researchers engaged.
• It also requires a lot of verification and validation, as a lot of the submissions are unverified to begin with.

Incentivized

• Price point allows us to sell the solution at an excellent margin
• Freed up time due to the automated solutions, allowing us to utilise staff better
• Use from anywhere due to being cloud based

Incentivized