We are glad to announce our new functionality for defining Scope! HackerOne’s Vulnerability Taxonomy now includes Severity, Weakness type, and Asset.

What is Scope?

Your program’s Scope is the list of items you would like hackers to test and send reports in for. It is often defined by the domain name for web applications, or by the specific App Store / Play store mobile apps that your company builds. It is useful to also note commonly mistaken items that are outside of your Scope – for instance, a website that a third party built as a plugin for your product, but is completely not affiliated with your company.

With this update, program’s Scope can be explained simply by listing Assets (colloquially, attack surfaces). This list of Assets will be surfaced on the program’s profile page, and also the program’s report submission page. The benefit of this structure for clarifying Scope, is that programs can better explain their requirements, and hackers can have clearer expectations.

Listing Assets in Your Program Scope Removes the Guessing Game

Have you ever wanted your reports to just come in with the affected Scope or platform attached, instead of hunting down exactly which marketing site out of the 3 CMSs you use? Did you wish that hackers knew you only cared about your three core sites?  Did you wish you could see data analysis for your iOS app and your Android app respectively? Use our new feature to gain this layer of data on your reports!

How to list your Assets for your program’s Scope:

You can edit the assets listed in your program’s Scope at hackerone.com/[team handle]/policy_and_scope, underneath the policy section.

program policy page hackerone

Set up your Program’s Scope by listing exactly what Assets you care about

By identifying how important each of your sites are, you will gain a pretty chart on your team profile page, and everyone will see which parts of the site you care about and which parts you don’t (see chart below).  

new program scope chart hackerone

In-Product Notifications of Acceptable Scope

Hackers can select the Scope when they are completing their report. If you listed a thing as out of Scope, they will see it on the report submission form too. This way, communication is streamlined which means hackers don’t have to revisit the policy page again and again, and neither do you! (see screenshot below)

in product notifications of acceptable scope hackerone

This feature will help programs more clearly communicate their needs and expectations with hackers. Conversely, hackers can have better ideas around what programs would like them to focus on, and plan their time accordingly.

Here are some resources describing this feature and instructions on setting it up for your program:

What are you waiting for? Go for it!

Stay tuned for a comprehensive overview of Hackerone’s Vulnerability Taxonomy in a few weeks! In the meantime, let us know how you like our new functionality for Scope!


HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.

Posted by Charlie