HackerOne

Today, we’re launching the HackerOne Bug Bounty Program Maturity Framework, setting the standard for how programs should operate. Researchers know it’s about more than just rewards. It’s also about clear communication, timely payouts, interesting scope, and well-defined disclosure policies. Thank you to the community and the Hacker and Technical Advisory Boards for your role in defining what makes a gold-standard program. Learn more 👉 bit.ly/4rEce1c

Prompt injection is becoming one of the fastest-growing AI security risks. So we built something to test it. Our new Agentic Prompt Injection Testing capability proves whether AI systems can actually be exploited in production. Get a deeper dive here: bit.ly/4sOptx9 #AISecurity

The AI Security Gap report is live 🚀 Inside, you’ll learn: • The most common AI attack types • What an AI attack really costs • How leaders are stress-testing AI, and where gaps remain Get the data 👉 bit.ly/4uqRkoC #AISecurityGap #AISecurity

🎥 In this clip, security researcher @rez0__ breaks down one of the most common vulnerabilities showing up in AI-powered applications today. When an AI feature dynamically generates links like clickable URLs or markdown images, it can unintentionally leak sensitive data from chat context or tool calls through a simple client-side request. This is exactly why AI red teaming focuses on how AI features behave in real applications, and not just what the model says. #AISecurity #AIRedTeaming #AppSec #CyberRisk #SecureAI

We’ve updated our 100 Hacking Tools blog – it’s now 104 😎. Whatever your specialization, check out the blog to get started on your hacking journey today! #HappyHacking bit.ly/3Owfu0B

Evan Connelly, full-time pastor and part-time security researcher, says his work begins in that space before crisis, where attention still has the power to change outcomes. Find out how curiosity spurs him to keep going, whether working with people or security vulnerabilities: bit.ly/4aQXW6L

Sometimes the fastest tests reveal the biggest risks. In this clip, security researchers @rez0__ and @hakluke break down a surprisingly simple check: 👉 If your AI feature can generate markdown images, it may already be exposing sensitive data. Find out how a client-side request can quietly leak information when content is rendered. This is a great example of how AI features can introduce security issues that look harmless on the surface, but behave very differently under the hood. #AISecurity #AppSec #RedTeaming #CyberRisk #SecureAI

Want to know what makes for a successful hacking career? Check out @PortSwigger's blog on how researcher, Arman S, combines Burp Suite and HackerOne to uncover high-impact vulnerabilities, and find out how you can win a free Burp Professional license with @Hacker0x01's Hacker Milestone Rewards program! bit.ly/4aOWTEn

As AI features become more social and shareable, traditional AppSec issues, such as XSS, can often reappear in a different form. Security researcher @rez0__ explains how AI-generated content can transform a simple “shared chat” into a real security risk if guardrails aren’t in place. Same bugs. New paths and lower attacker effort. #AI #ApplicationSecurity #AISecurity #Cybersecurity

RSAC 2026, we’re ready. 🔥 📍 Booth S-0867 🗓 March 24–26 | San Francisco AI is expanding the attack surface. We’re helping enterprises deliver: Security, Continuously. See how AI + the global researcher community uncover real-world exposure—before attackers do. 👉 Book a meeting bit.ly/42a70zE #RSAC2026 #CTEM #Cybersecurity #SecurityContinuously

Commerce at global scale demands relentless security. 🔐 We’re launching a focused bug bounty campaign to pressure test @PayPal’s checkout integrations and the critical pathways that power millions of transactions every day. Researchers! Help us identify real-world vulnerabilities that could impact transaction integrity, customer protection, and platform trust. Bring your creativity and help us strengthen the infrastructure that powers digital commerce worldwide.

In Singapore, @okx and HackerOne brought an elite team of security researchers together for a live hacking event focused on one thing: building trust through real-time collaboration. This was security in action—fast-paced, transparent, and deeply human. Researchers tested live systems. Teams worked side by side. Vulnerabilities were uncovered and addressed when it mattered most. When trust is built in real time, everyone wins. #H165 #TogetherWeHitHarder

Higher education is stepping up its security game 🎓🔐 Kristen Dietiker shares how Santa Clara University launched a bug bounty program to protect its community—and to build the next generation of cybersecurity leaders. Read more ➡️ bit.ly/4bNXf0o

Humans make judgment calls. AI tests everything. As applications grow more complex, it’s easy to miss edge cases or skip endpoints that “don’t look risky.” Security researcher @hakluke breaks down why AI-assisted testing can bring broader coverage, applying intelligence at scale while keeping human validation in the loop. ⬇️ Watch the full video: bit.ly/4ast1xG #AI #CyberRisk #AppSec #SecurityEngineering #AISecurity

The countdown to Nullcon is ON! Remember to sign up to @Adobe’s AI-focused live bug-hunting event. Jump into real-world testing, submit impactful findings, earn rewards, and compete for top prizes as we look for the most valuable AI vulnerabilities aligned to the OWASP Top 10 for LLMs. nullcon.net/goa-2026/live-… #NullconGoa2026 #Adobe #AI #hacking

Point-in-time pentests can’t keep up, while fully autonomous testing creates noise. The solution? HackerOne Agentic PTaaS pairs specially trained AI agents with elite human validation to deliver results based on real-world exploitability, not theory. This 50-second video shows you how it works.

Who’s going to Nullcon this year? If you’re there, make sure to sign up for @Adobe's live bug-hunting event at Nullcon and earn $$$ uncovering AI vulnerabilities across their next-generation products. nullcon.net/goa-2026/live-… #NullconGoa2026 #Adobe #AI #hacking

AI Red Teaming goes beyond jailbreaking models. Security researcher @rez0__ explains the difference between AI Safety and AI security. Find out what he means by “AI appsec” – testing the real vulnerabilities introduced when AI is embedded into production apps. #AISecurity #AIRedTeaming #AppSec #Cybersecurity #BugBounty

At @Deriv, human decision-making remains at the centre of its bug bounty. But find out how by using HackerOne’s AI capabilities, Deriv is able to scale its processes to improve first response times and empower more engineers to take action confidently. 👉 See how Deriv made it work bit.ly/4k9tnxC

@Deriv knows how important a swift response is to building trust with researchers. Find out what “responding in minutes, not hours” looks like in practice with Deriv’s AI-powered Slack workflow bit.ly/4k9tnxC