NAV Navbar
shell

Introduction

API Reference

API Endpoint

https://api.hackerone.com/

The HackerOne API can be used to query or update information about reports, and your HackerOne program.

The API always returns a JSON response and implements REST to access resources. The API can only be accessed over HTTPS. It is compliant with the JSON API specification.

API tokens can be generated from your Program Settings if you are already using HackerOne Professional, Community, or Enterprise edition. Otherwise, you can contact sales to upgrade your program or create a test program to experiment with the API.

Changelog

October 18, 2019: Added attribute for requesting report disclosure to show the disclosure timestamp.

October 15, 2019: Added endpoint for requesting report disclosure.

October 11, 2019: Added endpoint for showing program policy and its attachments.

October 10, 2019: Added endpoint for fetching bounty suggestions.

October 10, 2019: Added endpoint to fetch all program swag.

October 9, 2019: Added endpoint for filtering reports by keywords.

October 9, 2019: Enabled filtering reports by severities.

October 8, 2019: Added endpoint for updating report structured scope.

October 7, 2019: Added endpoint for getting program's balance.

October 7, 2019: Added endpoint for fetching program payment transactions.

October 7, 2019: Added endpoint for fetching program thanks items.

October 3, 2019: Enabled filtering reports by weaknesses.

September 26, 2019: Added endpoint for marking swag as sent.

September 25, 2019: Made title, vulnerability information, impact, and source parameters required for the report create endpoint.

September 5, 2019: Added endpoint to mark a report as ineligible for bounty.

August 29, 2019: Added endpoint for updating program policy.

August 23, 2019: Added endpoint for updating report weakness.

Aug 22, 2019: Added endpoint to create reports.

August 21, 2019: Added endpoint for fetching program weaknesses.

June 26, 2019: Added a severity parameter to create a program bounty, it will set the severity for the created report.

June 25, 2019: Made the recipient parameter optional to create a program bounty and added the claim link to the response.

May 23, 2019: Added filter attribute to include/exclude hacker published reports.

May 15, 2019: Added endpoint to read Audit Log for a Program.

April 24, 2019: Expose Custom Field Attributes on a Program and added endpoint for updating Custom Field Values on a Report.

February 19, 2019: Added endpoint for creating/updating severities on reports.

February 4, 2019: Enabled filtering reports by assignee emails.

December 4, 2018: Added endpoints for fetching, creating, updating, and archiving structured scopes.

November 26, 2018: Added activities endpoint.

November 8, 2018: Enabled filtering reports by assignees.

August 20, 2018: Added attribute to report to show CVE IDs.

July 6, 2018: Added endpoint for fetching specific data of a user.

August 29, 2017: added endpoint for fetching common responses of a program.

August 28, 2017: added endpoints for awarding bounties, suggesting bounties, and for awarding swag.

May 10th, 2017: added last_public_activity_at in favor of last_activity_at. The new attribute can be used in filtering and exposes the date of the last public activity. The last_activity_at attribute will now return the date of the last activity, both public and internal.

March 29th, 2017: added endpoint to disable commenting / locking a report.

March 28th, 2017: added the reports resource that enables the user to update the title of reports that are received by teams the API user is part of.

February 20th, 2017: added the me resource that enables the user to query the programs the API user is part of.

January 26th, 2017: added ability to filter reports based on user usernames. Added endpoint to retrieve a list of users that participated in a program.

November 23rd, 2016: added ability to set a page size when querying reports.

November 2nd, 2016: added ability to change the state of a report object and added ability to post internal and public comments.

October 5th, 2016: added severity relationship to report object.

September 23rd, 2016: added endpoint to query more information about a program.

September 21st, 2016: added ability to assign users and groups to a report.

August 24th, 2016: added reputation, signal, and impact metrics of a report's reporter.

July 19th, 2016: removed inlining if a report in the bug cloned activity to avoid a denial of service vulnerability when the original report references the cloned report.

July 19th, 2016: fixed a bug where the time in a date filter was erroneously truncated.

July 18th, 2016: added activity objects for hacker mediation requests and vulnerability types updates.

June 1st, 2016: the endpoint for querying reports now returns descriptive errors in case an invalid filter value is given.

May 23rd, 2016: added last_activity_at attribute to the report object and as a filter for querying reports.

May 23rd, 2016: removed inlined duplicate report object from activities relationship when a single report is fetched.

May 6th, 2016: introduced endpoint to query multiple reports.

April 14th, 2016: introduced endpoint to query a single report.

Clients

There are open source API clients that are maintained by our customers and hackers. These libraries are welcoming contributions and can be found on GitHub.

Ruby: hackerone-client

Python: h1-python

Go: hackeroni

Erlang: h1.erl

Node.js: hackerone

Use cases

Get a list of new and triaged reports

  require 'httparty'

  basic_auth = {
    username: 'api_example_company',
    password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  }

  query = {
    filter: {
      program: ['john_doe_example_company'],
      state: ['new', 'triaged'],
    },
    sort: 'reports.last_program_activity_at',
  }

  HTTParty.get 'https://api.hackerone.com/v1/reports',
    query: query,
    basic_auth: basic_auth

A Ruby example to get a list of new and triaged reports. Requires 3rd party gem HTTParty to be installed.

The API is made for customers that have a need to access and interact with their HackerOne report data and be able to automate their workflows. Customers use this to generate dashboards, automatically escalate reports to their internal systems, assign users based on on-call personnel or when an internal ticket is resolved, interact with the reporters, and more. The public API provides a bi-directional channel to consume and interact with reports.

We have provided a code example on the right to show how easy it is to use. The code example fetches new and triaged reports, sorted by the last time someone from your program touched it.

Authentication

cURL example

  curl "https://api.hackerone.com/v1/reports/129329" \
    -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Replace the example credentials in the example above with your own.

HTTP Basic authentication is used to authenticate to the API. As an Admin User you can generate and manage API Tokens from your program's API settings page. The API Token identifier and value are used as the username and password for basic authentication and must be sent in the Authorization header for every request.

If you set up an IP whitelist for your account and provide valid credentials, the server will respond with a 403 Forbidden response. If an invalid token is provided, the server will respond with a 401 Unauthorized response. See the error codes section for more information how these errors are returned.

Versioning

URL structure

https://api.hackerone.com/{version}/{resource}

The entire API uses a global version. For every backwards-incompatible change, the version is bumped. There is no default version, so the requested version must be specified in the resource URL.

Introducing new attributes or resources are not considered backwards-incompatible and can be added to the latest stable version at any time.

Reports

This API is built around reports as its core resource. The report object contains the information that hackers submitted to a program, the interactions the program users had with the report, and all additional meta information like bounties, swag, and internal references.

The next section will give an overview of what a Report object looks like. The sections after that will show the endpoints that have been implemented for this resource.

Get All Reports

Description: Multiple report objects can be queried that meet certain filtering criteria by sending a GET request to the reports endpoint. When the request is successful, the API will respond with paginated report objects.

The following report relationships are included: reporter, assignee (a user or group), weakness, program, and bounties.

Query reports

curl "https://api.hackerone.com/v1/reports?filter\[program\]\[\]=john_doe_example_company" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "1337",
      "type": "report",
      "attributes": {
        "title": "XSS in login form",
        "state": "new",
        "created_at": "2016-02-02T04:05:06.000Z",
        "vulnerability_information": "...",
        "triaged_at": null,
        "closed_at": null,
        "last_reporter_activity_at": null,
        "first_program_activity_at": null,
        "last_program_activity_at": null,
        "bounty_awarded_at": null,
        "last_activity_at": null,
        "last_public_activity_at": null,
        "swag_awarded_at": null,
        "disclosed_at": null,
        "source": null
      },
      "relationships": {
        "reporter": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "program": {
          "data": {
            "id": "1337",
            "type": "program",
            "attributes": {
              "handle": "security",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "weakness": {
          "data": {
            "id": "1337",
            "type": "weakness",
            "attributes": {
              "name": "Cross-Site Request Forgery (CSRF)",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "external_id": "cwe-352",
              "created_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "bounties": {
          "data": [

          ]
        }
      }
    },
    {
      "id": "1338",
      "type": "report",
      "attributes": {
        "title": "CSRF in admin panel",
        "state": "triaged",
        "created_at": "2016-02-02T04:05:06.000Z",
        "vulnerability_information": "...",
        "triaged_at": "2016-02-03T03:01:36.000Z",
        "closed_at": null,
        "last_reporter_activity_at": null,
        "first_program_activity_at": null,
        "last_program_activity_at": null,
        "bounty_awarded_at": null,
        "swag_awarded_at": null,
        "disclosed_at": null,
        "issue_tracker_reference_id": "T554",
        "issue_tracker_reference_url": "https://phabricator.tld/T554",
        "cve_ids": [],
        "source": null
      },
      "relationships": {
        "reporter": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "program": {
          "data": {
            "id": "1337",
            "type": "program",
            "attributes": {
              "handle": "security",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "weakness": {
          "data": {
            "id": "1337",
            "type": "weakness",
            "attributes": {
              "name": "Cross-Site Request Forgery (CSRF)",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "external_id": "cwe-352",
              "created_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "bounties": {
          "data": [

          ]
        }
      }
    },
    "..."
  ],
  "links": {
    "self": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=1",
    "next": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=5"
  }
}

HTTP Request

GET https://api.hackerone.com/v1/reports

Parameters

Name Description Required Type
filter Filters that can be used to drill-down reports. Yes object
filter[program] The program handles you want to fetch the reports for. Yes String[]
filter[reporter] The user usernames you want to fetch the reports for. No String[]
filter[assignee] The assigned user usernames, emails or group names you want to fetch the reports for. No String[]
filter[state] Allows to filter by current report state.

Default:
["new", "triaged", "needs-more-info", "resolved", "not-applicable", "informative", "duplicate", "spam"]

Possible values:
new
triaged
needs-more-info
resolved
not-applicable
informative
duplicate
spam
No String[]
filter[id] Allows to filter by report ID. No Integer[]
filter[weakness_id] Allows to filter by weaknesses. No Integer[]
filter[severity] The severity ratings you want to fetch the reports for.

Default:
["none", "low", "medium", "high", "critical"]

Possible values:
none
low
medium
high
critical
No String[]
filter[hacker_published] Allows to filter by reports that are published by hackers, depending on the value of this parameter. No Boolean
filter[created_at__gt] Allows to filter by reports that were created after the date specified in this parameter. No Date
filter[created_at__lt] Allows to filter by reports that were created before the date specified in this parameter. No Date
filter[triaged_at__gt] Allows to filter by reports that were triaged after the date specified in this parameter. No Date
filter[triaged_at__lt] Allows to filter by reports that were triaged before the date specified in this parameter. No Date
filter[triaged_at__null] Allows to filter by reports that are triaged or not, depending on the value of this parameter. No Boolean
filter[closed_at__gt] Allows to filter by reports that were closed after the date specified in this parameter. No Date
filter[closed_at__lt] Allows to filter by reports that were closed before the date specified in this parameter. No Date
filter[closed_at__null] Allows to filter by reports that are closed or not, depending on the value of this parameter. No Boolean
filter[disclosed_at__gt] Allows to filter by reports that were disclosed after the date specified in this parameter. No Date
filter[disclosed_at__lt] Allows to filter by reports that were disclosed before the date specified in this parameter. No Date
filter[disclosed_at__null] Allows to filter by reports that are disclosed or not, depending on the value of this parameter. No Boolean
filter[bounty_awarded_at__gt] Allows to filter by reports that has a bounty awarded after the date specified in this parameter. No Date
filter[bounty_awarded_at__lt] Allows to filter by reports that has a bounty awarded after the date specified in this parameter. No Date
filter[bounty_awarded_at__null] Allows to filter by reports that have a bounty awarded or not, depending on the value of this parameter. No Boolean
filter[swag_awarded_at__gt] Allows to filter by reports that has swag awarded after the date specified in this parameter. No Date
filter[swag_awarded_at__lt] Allows to filter by reports that has swag awarded after the date specified in this parameter. No Date
filter[swag_awarded_at__null] Allows to filter by reports that have swag awarded or not, depending on the value of this parameter. No Boolean
filter[last_reporter_activity_at__gt] Allows to filter by reports that received an update from the reporter after the date specified in this parameter. No Date
filter[last_reporter_activity_at__lt] Allows to filter by reports that received an update from the reporter before the date specified in this parameter. No Date
filter[first_program_activity_at__gt] Allows to filter by reports that received the first update from the program after the date specified in this parameter. No Date
filter[first_program_activity_at__lt] Allows to filter by reports that received the first update from the program before the date specified in this parameter. No Date
filter[first_program_activity_at__null] Allows to filter by reports where the reporter received an update from the program or not, depending on the value of this parameter. No Boolean
filter[last_program_activity_at__gt] Allows to filter by reports that received an update from the program after the date specified in this parameter. No Date
filter[last_program_activity_at__lt] Allows to filter by reports that received an update from the program before the date specified in this parameter. No Date
filter[last_activity_at__gt] Allows to filter by reports that received an update after the date specified in this parameter. No Date
filter[last_activity_at__lt] Allows to filter by reports that received an update before the date specified in this parameter. No Date
filter[last_public_activity_at__gt] Allows to filter by reports that received a public update after the date specified in this parameter. No Date
filter[last_public_activity_at__lt] Allows to filter by reports that received a public update before the date specified in this parameter. No Date
filter[keyword] Allows to filter reports by title and details keyword. No String
filter[custom_fields] Allows to filter by reports by a Custom Field Label and Value. No Custom-Field-Input[]
page This parameter can be used to specify the page number and size the client wants to query. No object
page[number] The page to retrieve.
Default: 1
No Integer
page[size] The number of objects per page; currently limited from 1 to 100.
Default: 25
No Integer
sort The attributes and order to sort the reports on. This parameter may contain multiple attributes that the reports should be sorted on. Sorting is applied in the specified order of attributes. If an attribute should be sorted descending, prepend a hyphen (-).

The following attributes can be used for sorting: reports.swag_awarded_at, reports.bounty_awarded_at, reports.last_reporter_activity_at, reports.first_program_activity_at, reports.last_program_activity_at, reports.triaged_at, reports.created_at, reports.closed_at, reports.last_activity_at, and reports.disclosed_at.

Default: -reports.created_at
No String

Get Report

Read a report

curl "https://api.hackerone.com/v1/reports/129329" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example Response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "report",
    "attributes": {
      "title": "XSS in login form",
      "state": "new",
      "created_at": "2016-02-02T04:05:06.000Z",
      "vulnerability_information": "...",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": null,
      "first_program_activity_at": null,
      "last_program_activity_at": null,
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "source": null
    },
    "relationships": {
      "reporter": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "program": {
        "data": {
          "id": "1337",
          "type": "program",
          "attributes": {
            "handle": "security",
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "swag": {
        "data": [

        ]
      },
      "attachments": {
        "data": [

        ]
      },
      "weakness": {
        "data": {
          "id": "1337",
          "type": "weakness",
          "attributes": {
            "name": "Cross-Site Request Forgery (CSRF)",
            "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
            "external_id": "cwe-352",
            "created_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "activities": {
        "data": [

        ]
      },
      "bounties": {
        "data": [

        ]
      },
      "summaries": {
        "data": [

        ]
      }
    }
  }
}

Description: A report object can be fetched by sending a GET request to a unique report object. In case the request was successful, the API will respond with a report object.

The following report relationships are included: reporter, assignee (a user or group), weakness, program, bounties, swag, activities, attachments, and summaries.

HTTP Request

GET https://api.hackerone.com/v1/reports/{id}

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Create Report

Create a report for a program

curl "https://api.hackerone.com/v1/reports" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report",
        "attributes": {
          "team_handle": "security",
          "title": "XSS in login form",
          "vulnerability_information": "...",
          "impact": "...",
          "severity_rating": "medium",
          "weakness_id": "1337",
          "structured_scope_id": "287",
          "source": "detectify"
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "report",
    "attributes": {
      "title": "XSS in login form",
      "state": "new",
      "created_at": "2016-02-02T04:05:06.000Z",
      "vulnerability_information": "...",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": null,
      "first_program_activity_at": null,
      "last_program_activity_at": null,
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "source": null
    },
    "relationships": {
      "reporter": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "program": {
        "data": {
          "id": "1337",
          "type": "program",
          "attributes": {
            "handle": "security",
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "swag": {
        "data": [

        ]
      },
      "attachments": {
        "data": [

        ]
      },
      "weakness": {
        "data": {
          "id": "1337",
          "type": "weakness",
          "attributes": {
            "name": "Cross-Site Request Forgery (CSRF)",
            "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
            "external_id": "cwe-352",
            "created_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "activities": {
        "data": [

        ]
      },
      "bounties": {
        "data": [

        ]
      },
      "summaries": {
        "data": [

        ]
      }
    }
  }
}

This API endpoint can be used to create a report. When the API call is successful, a report objects object will be returned.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports

Request Body

Name Description Possible Values Required Type
data This object contains the information to create a report. Yes Object
data/type report Yes String
data/attributes Yes Object
data/attributes/team_handle The handle of the team that the report is being submitted to. Yes String
data/attributes/title The title of the report. Yes String
data/attributes/vulnerability_information Detailed information about the vulnerability including the steps to reproduce and supporting material/references. Yes String
data/attributes/impact The security impact that an attacker could achieve. Yes String
data/attributes/severity_rating The severity rating of the security vulnerability. none
low
medium
high
critical
No String
data/attributes/weakness_id The ID of the Weakness object that describes the type of the potential issue. No Integer
data/attributes/structured_scope_id The ID of the StructuredScope object that describes the attack surface. No Integer
data/attributes/source A free-form string defining the source of the report for tracking purposes. For example, "detectify", "rapid7" or "jira". Yes String

Update Title

Changing the title of a report through the HackerOne API can be useful to programmatically batch update received reports in HackerOne.

Update the title of a report

curl "https://api.hackerone.com/v1/reports/129329/title" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-title",
        "attributes": {
          "title": "Report Title Updated!"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "1337",
  "type": "activity-report-title-updated",
  "attributes": {
    "message": "Report Title Updated!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false,
    "old_title": "xss",
    "new_title": "XSS in login form"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Description: Changing the title of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/title

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information to change the title of a report. Yes Object
data/type Possible values: report-title Yes String
data/attributes Yes Object
data/attributes/title The new title that will be set on the report. Yes String

Update Structured Scope

Update the structured scope of a report

curl "https://api.hackerone.com/v1/reports/77/structured_scope" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-structured-scope",
        "attributes": {
          "structured_scope_id": "57"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "77",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2019-08-20T14:26:19.286Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
    "first_program_activity_at": "2019-08-20T14:26:20.531Z",
    "last_program_activity_at": "2019-08-20T15:25:56.627Z",
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": "2019-08-20T15:25:56.627Z",
    "last_activity_at": "2019-08-20T15:25:56.627Z",
    "cve_ids": [],
    "source": null
  },
  "relationships": {
    "structured_scope": {
      "data": {
        "id": "57",
        "type": "structured-scope",
        "attributes": {
          "asset_identifier": "api.example.com",
          "asset_type": "url",
          "confidentiality_requirement": "high",
          "integrity_requirement": "high",
          "availability_requirement": "high",
          "max_severity": "critical",
          "created_at": "2015-02-02T04:05:06.000Z",
          "updated_at": "2016-05-02T04:05:06.000Z",
          "instruction": null,
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "reference": "H001001"
        }
      }
    }
  }
}

Changing the structured scope of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/structured_scope

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to change the structured scope of a report. Yes Object
data/type report-structured-scope Yes String
data/attributes Yes Object
data/attributes/structured_scope_id The new structured scope that will be set on the report. Yes Integer

Update Weakness

Update the weakness of a report

curl "https://api.hackerone.com/v1/reports/129329/weakness" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-weakness",
        "attributes": {
          "weakness_id": "123"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "77",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2019-08-20T14:26:19.286Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
    "first_program_activity_at": "2019-08-20T14:26:20.531Z",
    "last_program_activity_at": "2019-08-20T15:25:56.627Z",
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": "2019-08-20T15:25:56.627Z",
    "last_activity_at": "2019-08-20T15:25:56.627Z",
    "cve_ids": [],
    "source": null
  },
  "relationships": {
    "weakness": {
      "data": {
        "id": "77",
        "type": "weakness",
        "attributes": {
          "name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
          "description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
          "external_id": "cwe-350",
          "created_at": "2019-07-12T08:36:13.646Z"
        }
      }
    }
  }
}

Description: Changing the weakness of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/weakness

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to change the weakness of a report. Yes Object
data/type report-weakness Yes String
data/attributes Yes Object
data/attributes/weakness_id The new weakness that will be set on the report. Yes Integer

Update Severity

Create severity

curl "https://api.hackerone.com/v1/reports/172932/severities" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "attributes": {
          "rating": "high",
          "attack_complexity": "",
          "attack_vector": "",
          "availability": "",
          "confidentiality": "",
          "integrity": "",
          "privileges_required": "",
          "scope": "",
          "user_interaction": ""
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "2057",
    "type": "severity",
    "attributes": {
      "rating": "high",
      "created_at": "2017-08-22T15:09:44.176Z"
    }
  }
}

Description: You can use this endpoint to create / update the severity of the provided report. If the report already has a severity, a new one will be created and used as the current severity.

Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/severities

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information required to create a severity Yes Object
data/attributes Yes Object
data/attributes/rating The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. none
low
medium
high
critical
No String
data/attributes/score The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). Only present if CVSS metrics were provided. No Number
data/attributes/attack_vector A CVSS metric that reflects the context by which vulnerability exploitation is possible. network
adjacent
local
physical
No String
data/attributes/attack_complexity A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. low
high
No String
data/attributes/privileges_required A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. none
low
high
No String
data/attributes/user_interaction A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component. none
required
No String
data/attributes/scope A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component. uncharged
charged
No String
data/attributes/confidentiality A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. none
low
high
No String
data/attributes/integrity A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability. none
low
high
No String
data/attributes/availability A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability. none
low
high
No String

Update Assignee

Assign a user

curl "https://api.hackerone.com/v1/reports/129329/assignee" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "id": 1337,
        "type": "user",
        "attributes": {
          "message": "@member Please check this out!"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "1337",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2016-02-02T04:05:06.000Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": null,
    "first_program_activity_at": null,
    "last_program_activity_at": null,
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_activity_at": null,
    "issue_tracker_reference_url": "https://example.com/reference",
    "cve_ids": [],
    "source": null
  },
  "relationships": {
    "reporter": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          },
          "reputation": 7,
          "signal": 7.0,
          "impact": 30.0
        }
      }
    },
    "assignee": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "member",
          "name": "Member",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "program": {
      "data": {
        "id": "1337",
        "type": "program",
        "attributes": {
          "handle": "security",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "swag": {
      "data": [

      ]
    },
    "attachments": {
      "data": [

      ]
    },
    "weakness": {
      "data": {
        "id": "1337",
        "type": "weakness",
        "attributes": {
          "name": "Cross-Site Request Forgery (CSRF)",
          "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
          "external_id": "cwe-352",
          "created_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "activities": {
      "data": [
        {
          "id": "1337",
          "type": "activity-user-assigned-to-bug",
          "attributes": {
            "message": "@member Please check this out!",
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z",
            "internal": true
          },
          "relationships": {
            "actor": {
              "data": {
                "id": "1338",
                "type": "user",
                "attributes": {
                  "username": "api_example_company",
                  "name": null,
                  "disabled": false,
                  "created_at": "2016-02-02T04:05:06.000Z",
                  "profile_picture": {
                    "62x62": "/assets/avatars/default.png",
                    "82x82": "/assets/avatars/default.png",
                    "110x110": "/assets/avatars/default.png",
                    "260x260": "/assets/avatars/default.png"
                  }
                }
              }
            },
            "assigned_user": {
              "data": {
                "id": "1337",
                "type": "user",
                "attributes": {
                  "username": "member",
                  "name": "Member",
                  "disabled": false,
                  "created_at": "2016-02-02T04:05:06.000Z",
                  "profile_picture": {
                    "62x62": "/assets/avatars/default.png",
                    "82x82": "/assets/avatars/default.png",
                    "110x110": "/assets/avatars/default.png",
                    "260x260": "/assets/avatars/default.png"
                  }
                }
              }
            }
          }
        }
      ]
    },
    "bounties": {
      "data": [

      ]
    },
    "summaries": {
      "data": [

      ]
    }
  }
}

Description: A user or group can be assigned to a report with this endpoint. An optional message can be specified, which will be posted as internal comment to the report subscribers. Only users and groups that are part of the program can be assigned. It is not possible to assign API users to a report.

When assigning a single user to a report, that user will be automatically subscribed to the report. In case a group is assigned to a report, all users that are part of that group are subscribed to the report. Subscribers will receive a notification that the report was assigned.

In case the request was successful, the API will respond with the updated report object.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/assignee

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information to assign a user or group object to the report, or to clear the assignee of a report. Yes Object
data/id The ID of the user or group. Required unless the type is 'nobody' No Integer
data/type Specifies whether a user or group should be assigned, or if the assignee should be cleared.

Possible values:
user
group
nobody
Yes String
data/attributes No Object
data/attributes/message The message that will be posted to the assigned user or group. No String

Change State

Mark a report as resolved

curl "https://api.hackerone.com/v1/reports/129329/state_changes" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "state-change",
        "attributes": {
          "message": "This vulnerability has been resolved. Thanks!",
          "state": "resolved"
        }
      }
    }
EOD

Description: Changing the state of a report can be done through this endpoint. Closing a report as resolved will automatically recognize the finder in the program's hall of fame and reputation will be given. If a report is closed as N/A, informative, or spam, reputation will be deducted from the finder's track record.

There are currently one feature missing in the state change API: the ability to invite the finder of the duplicate to the original report. This feature will be implemented in a future version of the API.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/state_changes

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to change the state of a report. Yes Object
data/type state-change Yes String
data/attributes Yes Object
data/attributes/message The message that will be posted.
Required when the new state is needs-more-info, informative, or duplicate.
No String
data/attributes/state The state the report needs to be moved to. new
triaged
needs-more-info
resolved
not-applicable
informative
duplicate
spam
Yes String
data/attributes/original_report_id The ID of the report to use as the original report. Only available when closing the report as duplicate. No Integer

Create Comment

Post a public comment

curl "https://api.hackerone.com/v1/reports/129329/activities" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "activity-comment",
        "attributes": {
          "message": "A fix has been deployed. Can you retest, please?",
          "internal": false
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "activity-comment",
    "attributes": {
      "message": "A fix has been deployed. Can you retest, please?",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "internal": false
    },
    "relationships": {
      "actor": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      }
    }
  }
}

Description: Both public and internal comments can be posted with this endpoint. Comments require a message before they will be posted. If a public comment is posted, any user that is subscribed to the report will receive a notification of the created comment. For internal comments, only people that are managing the program who are subscribed the report will receive a notification.

Required permission: Report Management for posting public comments. Posting internal comments do not require any additional permissions. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/activities

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to create a comment object for the report. Yes Object
data/type Type of activity. activity-comment Yes String
data/attributes Yes Object
data/attributes/message The message that will be posted. Yes String
data/attributes/internal A boolean that indicates whether the comment should be internal or public. Internal comments are only viewable by the users that manage the program. Public comments are viewable by everyone, including the person that submitted the report. Yes Boolean

Close Comments

Lock a report

curl "https://api.hackerone.com/v1/reports/129329/close_comments" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "activity-comments-closed"
      }
    }
EOD

Example response (200 OK)

{
  "id": "1337",
  "type": "activity-comments-closed",
  "attributes": {
    "message": "Comments Closed!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Description: A report can only be locked once. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform or reported to other teams.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/close_comments

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to lock the report. Yes Object
data/type activity-comments-closed Yes String

Add Summary

This API endpoint allows the user to create a report summary for reports that are received by teams that the user is part of.

Create report summary

curl "https://api.hackerone.com/v1/reports/129329/summaries" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-summary",
        "attributes": {
          "content": "There was a cross-site scripting vulnerability in our login form."
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "1337",
  "type": "report-summary",
  "attributes": {
    "content": "There was a cross-site scripting vulnerability in our login form.",
    "category": "team",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z"
  },
  "relationships": {
    "user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Description: A team can only include a single report summary. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform or reported to other teams.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/summaries

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information necessary to create a report summary. Yes Object
data/type report-summary Yes String
data/attributes Yes Object
data/attributes/content The content of the to be created report summary. Yes String

Award Bounty

Create a bounty

curl "https://api.hackerone.com/v1/reports/172932/bounties" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "message": "Thanks for the great report. Here's your bounty!",
        "amount": "500",
        "bonus_amount": "250"
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "58549",
    "type": "bounty",
    "attributes": {
      "amount": "1330.00",
      "bonus_amount": "7.00",
      "awarded_amount": "1330.00",
      "awarded_bonus_amount": "7.00",
      "awarded_currency": "USD",
      "created_at": "2017-08-22T15:03:46.183Z"
    }
  }
}

Description: You can use this endpoint to award bounties to the reporter of the provided report.

Required permission: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

In addition, your program needs to be able to award bounties and the report needs to be eligible for bounties. If either case is false, the call will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/bounties

URI Parameters

Name Located in Description Required Type
id path The ID of the report. Yes

Request Body

Name Description Required Type
data This object contains the information required to create a bounty. Yes Object
data/message The public message posted on the report. Always required. Yes String
data/amount The bounty award to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number, and, when provided, must be equal to or greater than your minimum bounty. No Number
data/bonus_amount The bonus amount to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number. No Number

Get Bounty Suggestions

Query bounty suggestions for a report

curl "https://api.hackerone.com/api/v1/reports/79/bounty_suggestions" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "type": "activity-bounty-suggested",
      "id": "1946481",
      "attributes": {
        "message": "This report is great, I think we should award a high bounty.",
        "created_at": "2019-09-22T15:10:02.699Z",
        "updated_at": "2019-09-22T15:10:02.699Z",
        "internal": true,
        "bounty_amount": "300.00",
        "bonus_amount": "0.00"
      },
      "relationships": {
        "actor": {
          "data": {
            "type": "user",
            "id": "193855",
            "attributes": {
              "username": "sjors",
              "name": null,
              "disabled": false,
              "created_at": "2019-09-22T13:18:29.084Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
                "82x82": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
                "110x110": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
                "260x260": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"
              }
            }
          }
        }
      }
    }
  ]
}

This API endpoint allows a user to retrieve a list of report's bounty suggestions.

HTTP Request

GET https://api.hackerone.com/api/v1/reports/{id}/bounty_suggestions

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Add Bounty Suggestion

Create a bounty suggestion

curl "https://api.hackerone.com/v1/reports/172932/bounty_suggestions" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "message": "This report is great, I think we should award a high bounty",
        "amount": "5000",
        "bonus_amount": "2500"
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "type": "activity-bounty-suggested",
    "id": "1946481",
    "attributes": {
      "message": "This report is great, I think we should award a high bounty.",
      "created_at": "2017-08-22T15:10:02.699Z",
      "updated_at": "2017-08-22T15:10:02.699Z",
      "internal": true,
      "bounty_amount": "5,000",
      "bonus_amount": "2,500"
    },
    "relationships": {
      "actor": {
        "data": {
          "type": "user",
          "id": "193855",
          "attributes": {
            "username": "sjors",
            "name": null,
            "disabled": false,
            "created_at": "2017-08-22T13:18:29.084Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
              "82x82": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
              "110x110": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
              "260x260": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"
            }
          }
        }
      }
    }
  }
}

Description: You can use this endpoint to suggest bounties to the provided report.

Required permission: Reward Management OR Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/bounty_suggestions

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information required to create a bounty suggestion. Yes Object
data/message The internal message posted on the report. Always required. Only readable by team members. Yes String
data/amount The suggested bounty award to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number, and, when provided, must be equal to or greater than your minimum bounty. No Number
data/bonus_amount The suggested bonus amount to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number. No Number

Award Swag

Award swag

curl "https://api.hackerone.com/v1/reports/172932/swags" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "message": "This is the 5th report we received from you. We'd like to send you a shirt and some stickers as a small thank-you!"
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "2057",
    "type": "swag",
    "attributes": {
      "sent": false,
      "created_at": "2017-08-22T15:09:44.176Z"
    },
    "relationships": {
      "user": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }          
        }
      },
      "address": {
        "data": {
          "id": "1337",
          "type": "address",
          "attributes": {
            "name": "Jane Doe",
            "street": "535 Mission Street",
            "city": "San Francisco",
            "postal_code": "94105",
            "state": "CA",
            "country": "United States of America",
            "created_at": "2016-02-02T04:05:06.000Z",
            "tshirt_size": "W_Large",
            "phone_number": "+1-510-000-0000"
          }
        }
      }   
    }
  }
}

Description: You can use this endpoint to award swag to the reporter of the provided report.

Required permission: Reward Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/swags

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information required to award swag. Yes Object
data/message The public message posted on the report. Always required. Yes String

Mark as Ineligible for Bounty

Mark a report as ineligible for bounty.

curl "https://api.hackerone.com/v1/reports/2/ineligible_for_bounty" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-ineligible-for-bounty",
        "attributes": {}
      }
    }
EOD

Example response (200 OK)

{
  "id": "77",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2019-08-20T14:26:19.286Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
    "first_program_activity_at": "2019-08-20T14:26:20.531Z",
    "last_program_activity_at": "2019-08-20T15:25:56.627Z",
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": "2019-08-20T15:25:56.627Z",
    "last_activity_at": "2019-08-20T15:25:56.627Z",
    "cve_ids": [],
    "source": null
  },
  "relationships": {
    "weakness": {
      "data": {
        "id": "77",
        "type": "weakness",
        "attributes": {
          "name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
          "description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
          "external_id": "cwe-350",
          "created_at": "2019-07-12T08:36:13.646Z"
        }
      }
    }
  }
}

Marking a report as ineligible for bounty through the HackerOne API can be useful to programatically batch update received reports in HackerOne.

Description: Marking a report as ineligible for bounty can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to mark a report as ineligible for bounty. Yes Object
data/type report-ineligible-for-bounty Yes String

Manage Custom Field Values

Create Custom Field Value

curl "https://api.hackerone.com/v1/reports/172932/custom_field_values" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "attributes": {
          "custom_field_attribute_id": "1",
          "value": "Dark Matter"
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": [
    {
      "id": "1",
      "type": "custom-field-value",
      "attributes": {
        "value": "Dark Matter",
        "created_at": "2019-04-24T22:21:50.328Z",
        "updated_at": "2019-04-24T22:21:50.328Z"
      },
      "relationships": {
        "custom_field_attribute": {
          "data": {
            "id": "1",
            "type": "custom-field-attribute",
            "attributes": {
              "label": "Product Squad",
              "configuration": null,
              "created_at": "2013-01-01T00:00:00.000Z",
              "updated_at": "2013-01-01T00:00:00.000Z",
              "archived_at": null
            }
          }
        }
      }
    }
  ]
}

Description: You can use this endpoint to create / update the Custom Field Values of the provided report. If the report already has a value for the provided Custom Field Attribute ID, the value will be replaced. To get a list of existing Custom Field Attributes, see program. This feature is only available to select programs at this time.

Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/custom_field_values

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information required to create a Custom Field Value. Yes Object
data/attributes/custom_field_attribute_id The Custom Field Attribute ID for which a value needs to be set. A complete list of available Custom Field Attribute IDs is exposed on the Program object. Yes Integer
data/attributes/value The value that needs to be set for the given Custom Field Attribute. Leave empty to remove a Custom Field Attribute from a Report. No String

Manage Disclosure

Create disclosure request for the closed report

curl "https://api.hackerone.com/v1/reports/172932/disclosure_requests" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "attributes": {
          "substate": "full",
          "message": "Go public"
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "activity-agreed-on-going-public",
    "attributes": {
      "message": "Agreed On Going Public!",
      "created_at": "2019-02-02T04:05:06.000Z",
      "updated_at": "2019-02-02T04:05:06.000Z",
      "internal": false,
      "disclosed_at": "2019-02-02T15:26:47.000Z"
    },
    "relationships": {
      "actor": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2019-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      }
    }
  }
}

The program can request disclosure for any closed report.

You can use this endpoint to create the disclosure request for the report which will result in:

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/disclosure_requests

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer
substate Select whether you want to disclose the full report ("full") or a limited version ("no-content").

Possible values:
full
no-content
Yes String
message Additional information No String

Request Body

Name Description Possible Values Required Type
data This object contains the information about disclosure request. Yes Object
data/type activity-agreed-on-going-public Yes String
data/id The ID of the activity. Yes Integer

Activities

This endpoint allows you to fetch all activities of your program incrementally by time.

This feature has multiple usages:

The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.

Query Activities

Read the activities of a team

curl "https://api.hackerone.com/v1/incremental/activities?handle=acme&page[size]=1" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "type": "activity-bug-filed",
      "id": "1337",
      "attributes": {
        "report_id": "99900",
        "message": "",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2017-02-02T04:05:06.000Z",
        "internal": false
      },
      "relationships": {
        "actor": {
          "data": {
            "type": "user",
            "id": "7331",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        }
      }
    }
  ],
  "meta": {
    "max_updated_at": "2017-02-02T04:05:06.000Z"
  },
  "links": {
    "self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
    "next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
  }
}

Description: Note, the request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.

HTTP Request

GET /incremental/activities/

Query Parameters

Name Description Required Type
handle The HackerOne handle of the program whose activities you wish to retrieve. Yes String
updated_at_after A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. No DateTime
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Programs

The next section will give an overview of what a Program object looks like. The sections after that will show the endpoints that have been implemented for this resource.

Get Program

Read a program

curl "https://api.hackerone.com/v1/programs/1337" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "program",
    "attributes": {
      "handle": "security",
      "policy": "Policy definition",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z"
    },
    "relationships": {
      "groups": {
        "data": [
          {
            "id": "2557",
            "type": "group",
            "attributes": {
              "name": "Standard",
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "report_management",
                "reward_management"
              ]
            }
          },
          {
            "id": "2558",
            "type": "group",
            "attributes": {
              "name": "Admin",
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "user_management",
                "program_management"
              ]
            }
          }
        ]
      },
      "members": {
        "data": [
          {
            "id": "1339",
            "type": "member",
            "attributes": {
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "program_management",
                "report_management",
                "reward_management",
                "user_management"
              ]
            },
            "relationships": {
              "user": {
                "data": {
                  "id": "1337",
                  "type": "user",
                  "attributes": {
                    "username": "api-example",
                    "name": "API Example",
                    "disabled": false,
                    "created_at": "2016-02-02T04:05:06.000Z",
                    "profile_picture": {
                      "62x62": "/assets/avatars/default.png",
                      "82x82": "/assets/avatars/default.png",
                      "110x110": "/assets/avatars/default.png",
                      "260x260": "/assets/avatars/default.png"
                    }
                  }
                }
              }
            }
          }
        ]
      },
      "policy_attachments": {
        "data": [
          {
            "id": "<id>",
            "type": "attachment",
            "attributes": {
              "expiring_url": "<url>",
              "created_at": "<date>",
              "file_name": "logo.png",
              "content_type": "image/png",
              "file_size": 3650
            }
          }
        ]
      }
    }
  }
}

Description: A program object can be fetched by sending a GET request to a unique program object. When the request is successful, the API will respond with a program object.

The following program relationships are included: groups, members and policy attachments.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Update Policy

Update the policy of a program

curl "https://api.hackerone.com/v1/programs/3774/policy" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "program-policy",
        "attributes": {
          "policy": "..."
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "3774",
    "type": "program",
    "attributes": {
        "handle": "acme",
        "policy": "...",
        "created_at": "2013-01-01T00:00:00.000Z",
        "updated_at": "2019-08-26T13:53:24.807Z"
    }
  }
}

Description: Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.

Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/programs/{id}/policy

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to update the policy of a program. Yes Object
data/type program-policy Yes String
data/attributes Yes Object
data/attributes/policy The new policy that will be set on the program. Yes String

Award Bounty

Create a bounty for a program

curl "https://api.hackerone.com/v1/programs/1337/bounties" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "bounty",
        "attributes": {
          "amount": 100,
          "reference": "JIRA1239",
          "title": "Reflected XSS on marketing.example.com",
          "recipient": "hacker@hackerone.com",
          "currency": "USD",
          "severity_rating": "high"
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "1",
    "type": "bounty",
    "attributes": {
      "amount": "100.00",
      "bonus_amount": "0.00",
      "awarded_amount": "100.00",
      "awarded_bonus_amount": "0.00",
      "awarded_currency": "USD",
      "created_at": "2017-02-14T23:07:24.252Z",
      "invitations": [
        {
          "id": "10",
          "recipient": "hacker@hackerone.com",
          "claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
        }
      ]
    }
  }
}

Description: To award a bounty, this API endpoint can be used. When the API call is successful, a bounty object will be returned.

HTTP Request

POST https://api.hackerone.com/v1/programs/{id}/bounties

URI Parameters

Name Description Required Type
id The ID of the program. Yes

Request Body

Get Awarded Swag

Query swag of the program

curl "https://api.hackerone.com/v1/programs/16789/swag?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "8",
      "type": "swag",
      "attributes": {
        "sent": true,
        "created_at": "2019-08-30T08:33:42.147Z"
      },
      "relationships": {
        "user": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "address": {
          "data": {
            "id": "1337",
            "type": "address",
            "attributes": {
              "name": "Jane Doe",
              "street": "535 Mission Street",
              "city": "San Francisco",
              "postal_code": "94105",
              "state": "CA",
              "country": "United States of America",
              "created_at": "2016-02-02T04:05:06.000Z",
              "tshirt_size": "M_Large",
              "phone_number": "+1-510-000-0000"
            }
          }
        }
      }    
    },
    {
      "id": "7",
      "type": "swag",
      "attributes": {
        "sent": false,
        "created_at": "2019-08-20T03:47:04.163Z"
      },
      "relationships": {
        "user": {
          "data": {
            "id": "1338",
            "type": "user",
            "attributes": {
              "username": "johndoe",
              "name": "John Doe",
              "disabled": false,
              "created_at": "2017-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "address": {
          "data": {
            "id": "1337",
            "type": "address",
            "attributes": {
              "name": "John Smith",
              "street": "535 Mission Street",
              "city": "New York",
              "postal_code": "10001",
              "state": "NY",
              "country": "United States of America",
              "created_at": "2017-01-03T07:08:09.000Z",
              "tshirt_size": "M_Large",
              "phone_number": "+1-212-000-0000"
            }
          }
        }
      }
    }
  ],
  "links": {
  }
}

Awarded swag can be fetched by sending a GET request to the swag endpoint. When the request is successful, the API will respond with paginated swag objects.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/swag

URI Parameters

Name Located in Description Required Type
id path The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Mark Swag as Sent

Mark swag as sent

curl "https://api.hackerone.com/v1/programs/12/swag/8" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "swag",
        "attributes": {
          "sent": true
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "8",
    "type": "swag",
    "attributes": {
      "sent": true,
      "created_at": "2019-08-30T08:33:42.147Z"
    },
    "relationships": {
      "user": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "address": {
        "data": {
          "id": "1337",
          "type": "address",
          "attributes": {
            "name": "Jane Doe",
            "street": "535 Mission Street",
            "city": "San Francisco",
            "postal_code": "94105",
            "state": "CA",
            "country": "United States of America",
            "created_at": "2016-02-02T04:05:06.000Z",
            "tshirt_size": "M_Large",
            "phone_number": "+1-510-000-0000"
          }
        }
      }
    }
  }
}

The status of swag can be updated to "sent" through this endpoint. When the request is successful, the API will respond with a swag object.

Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

GET https://api.hackerone.com/v1/programs/programs/{program_id}/swag/{id}

URI Parameters

Name Description Required Type
program_id The ID of the program. Yes Integer
id The ID of the swag. Yes Integer

Query Parameters

Name Description Required Type
data This object contains the information to change the status of swag. Yes Object
data/type Possible values: swag Yes String
data/attributes Yes Object
data/attributes/sent Possible values: true Yes Boolean

Get Reporters

Query reporters for a program

curl "https://api.hackerone.com/v1/programs/11000/reporters" \
    -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "1337",
      "type": "user",
      "attributes": {
        "username": "awesome-hacker",
        "name": "Awesome Hacker",
        "disabled": false,
        "created_at": "2016-02-02T04:05:06.000Z",
        "profile_picture": {
          "62x62": "/assets/avatars/default.png",
          "82x82": "/assets/avatars/default.png",
          "110x110": "/assets/avatars/default.png",
          "260x260": "/assets/avatars/default.png"
        }
      }
    }
  ],
  "links": {

  }
}

This resource allows you to retrieve a list of all users that ever submitted a report to the program.

Description: Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/reporters

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Manage Structured Scopes

This resource allows you to retrieve a list of all assets of the program. You can create, update and archive your existing structured scopes.




Query Structured Scopes

Query structured scopes for a program

curl "https://api.hackerone.com/v1/programs/16789/structured_scopes?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "57",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "api.example.com",
        "asset_type": "url",
        "confidentiality_requirement": "high",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2015-02-02T04:05:06.000Z",
        "updated_at": "2016-05-02T04:05:06.000Z",
        "instruction": null,
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001001"
      }
    },
    {
      "id": "58",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "www.example.com",
        "asset_type": "url",
        "confidentiality_requirement": "low",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2017-02-03T04:05:10.000Z",
        "updated_at": "2018-05-02T04:05:10.000Z",
        "instruction": "Instruction text",
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001002"
      }
    }
  ],
  "links": {
  }
}

Description: Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scopes.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/structured_scopes

URI Parameters

Name Located in Description Required Type
id path The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer




Add Structured Scope

Create a structured scope for a program

curl "https://api.hackerone.com/v1/programs/1557/structured_scopes" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "structured-scope",
        "attributes": {
          "asset_identifier": "api.example.com",
          "asset_type": "url",
          "confidentiality_requirement": "high",
          "integrity_requirement": "high",
          "availability_requirement": "high",
          "max_severity": "critical",
          "created_at": "2015-02-02T04:05:06.000Z",
          "updated_at": "2016-05-02T04:05:06.000Z",
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "reference": "H001001"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "url",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

Description: This API endpoint can be used to add an asset to a program. When the API request is successful, a structured-scope object will be returned.

HTTP Request

POST https://api.hackerone.com/v1/programs/{id}/structured_scopes

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to create a structured scope. Yes Object
data/type structured-scope Yes String
data/attributes Yes Object
data/attributes/asset_identifier The identifier of the asset. Yes String
data/attributes/asset_type The type of the asset. CIDR
URL
APPLE_STORE_APP_ID
TESTFLIGHT
OTHER_IPA
GOOGLE_PLAY_APP_ID
OTHER_APK
WINDOWS_APP_STORE_APP_ID
SOURCE_CODE
DOWNLOADABLE_EXECUTABLES
HARDWARE
OTHER
Yes String
data/attributes/eligible_for_bounty If the asset is eligible for bounty. No Boolean
data/attributes/eligible_for_submission If the asset is eligible for submission. No Boolean
data/attributes/instruction The raw intruction of the asset provided by the program. Markdown is not parsed. No String
data/attributes/confidentiality_requirement A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/integrity_requirement A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/availability_requirement A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/max_severity The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). none
low
medium
high
critical
No String
data/attributes/reference The customer defined reference identifier or tag of the asset. No String




Update Structured Scope

Update a structured scope of a program

curl "https://api.hackerone.com/v1/programs/1557/structured_scopes/84" \
  -X PATCH \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "structured-scope",
        "attributes": {
          "asset_identifier": "api.example.com",
          "asset_type": "url",
          "confidentiality_requirement": "high",
          "integrity_requirement": "high",
          "availability_requirement": "high",
          "max_severity": "critical",
          "created_at": "2015-02-02T04:05:06.000Z",
          "updated_at": "2016-05-02T04:05:06.000Z",
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "reference": "H001001"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "url",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

Description: This API endpoint can be used to update an asset of a program. When the API request is successful, a structured-scope object will be returned.

HTTP Request

PATCH https://api.hackerone.com/v1/programs/{id}/structured_scopes

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to update a structured scope. Yes Object
data/type structured-scope Yes String
data/attributes Yes Object
data/attributes/asset_identifier The identifier of the asset. Yes String
data/attributes/eligible_for_bounty If the asset is eligible for bounty. No Boolean
data/attributes/eligible_for_submission If the asset is eligible for submission. No Boolean
data/attributes/instruction The raw intruction of the asset provided by the program. Markdown is not parsed. No String
data/attributes/confidentiality_requirement A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/integrity_requirement A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/availability_requirement A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/max_severity The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). none
low
medium
high
critical
No String
data/attributes/reference The customer defined reference identifier or tag of the asset. No String




Archive Structured Scope

Archive a structured scope of a program

curl "https://api.hackerone.com/v1/programs/1557/structured_scopes/84" \
  -X DELETE \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "url",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

Description: This API endpoint can be used to archive an asset of a program. When the API request is successful, a structured-scope object will be returned.

HTTP Request

DELETE https://api.hackerone.com/v1/programs/{id}/structured_scopes

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Get Weaknesses

This resource allows you to retrieve a list of all weaknesses of the program.

Query weaknesses for a program

curl "https://api.hackerone.com/v1/programs/16789/weaknesses?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example Response (200 OK)

{
  "data": [
    {
      "id": "1337",
      "type": "weakness",
      "attributes": {
        "name": "Cross-Site Request Forgery (CSRF)",
        "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
        "created_at": "2016-02-02T04:05:06.000Z",
        "external_id": "cwe-352"
      }
    },
    {
      "id": "1338",
      "type": "weakness",
      "attributes": {
        "name": "SQL Injection",
        "description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
        "created_at": "2016-03-02T04:05:06.000Z",
        "external_id": "cwe-89"
      }
    }
  ],
  "links": {
  }
}

Description: Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/weaknesses

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Thanks to Hackers

This resource allows you to view customer's thanks to hackers.

Query thanks for a program

curl "https://api.hackerone.com/v1/programs/16789/thanks?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
    "data": [
        {
            "type": "thanks_item",
            "attributes": {
                "total_report_count": 1,
                "reputation": 7,
                "recognized_report_count": 1,
                "username": "lorem",
                "user_id": "55"
            }
        },
        {
            "type": "thanks_item",
            "attributes": {
                "total_report_count": 1,
                "reputation": 22,
                "recognized_report_count": 1,
                "username": "ipsum",
                "user_id": "13"
            }
        },
        {
            "type": "thanks_item",
            "attributes": {
                "total_report_count": 5,
                "reputation": 38,
                "recognized_report_count": 3,
                "username": "hacker",
                "user_id": "24"
            }
        }
    ],
    "links": {}
}

Description: Customers thanks items can be fetched by sending a GET request to the thanks endpoint. When the request is successful, the API will respond with paginated thanks items objects.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/thanks

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Common Responses

Query common responses for a program

curl "https://api.hackerone.com/v1/programs/15567/common_responses?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "108878",
      "attributes": {
        "title": "Vulnerability Scanner False Positive",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
      }
    },
    {
      "id": "108886",
      "attributes": {
        "title": "X-XSS-Protection",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
      }
    },
    {
      "id": "108891",
      "attributes": {
        "title": "Video Without Content",
        "message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
      }
    }
  ],
  "links": {
  }
}

Description: Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/common_responses

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Audit Log

Query audit log for a program

curl "https://api.hackerone.com/v1/programs/15567/audit_log?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "1",
      "type": "audit-log-item",
      "attributes": {
        "log": "\"@member\" invited \"someone@example.com\".",
        "event": "invitations.team_members.create",
        "source": "User#1",
        "subject": "Invitation#1",
        "created_at": "2019-05-15T04:05:06.000Z"
      }
    }
  ],
  "links": {
  }
}

Returns a paginated list of the audit log items of the provided program.

Description: This API endpoint allows a user to consume all audit log items that have been created for a particular program.

Required permission: Program Management for consuming the audit log items. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Note: this feature is currently in beta and has not been enabled for all programs.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/audit_log

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Your Programs

Query your programs

curl "https://api.hackerone.com/v1/me/programs" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "1",
      "type": "program",
      "attributes": {
        "handle": "security",
        "created_at": "2017-01-01T08:00:00.000Z",
        "updated_at": "2017-02-17T04:34:15.910Z"
      }
    }
  ],
  "links": {}
}

This API endpoint allows you to query the program objects that you are a member of. The groups and members relationships are not included in the response.

Description: Use this API endpoint to query all program objects you are a member of.

HTTP Request

GET https://api.hackerone.com/v1/me/programs

Query Parameters

Name Description Required Type
handle The HackerOne handle of the program whose activities you wish to retrieve. Yes String
updated_at_after A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. No DateTime
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Balance

Query the current balance for a program

curl "https://api.hackerone.com/api/v1/programs/13/billing/balance" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": {
    "balance": "12000.00"
  }
}

This API endpoint allows a user to retrieve the current balance of the program.

HTTP Request

GET https://api.hackerone.com/api/v1/programs/{id}/billing/balance

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Get Payment Transactions

Query payment transactions for a program

curl "https://api.hackerone.com/api/v1/programs/13/billing/transactions?month=9&year=2019" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": 10,
      "activity_date": "2019-09-25T04:22:42.686Z",
      "activity_description": "Bounty for report #9",
      "bounty_award": "1000.00",
      "bounty_fee": "200.00",
      "debit_or_credit_amount": "-1200.00",
      "balance": "-1200.00",
      "report_id": 9,
      "report_url": "http://hackerone.com/reports/9"
    }
  ]
}

Returns a list of the payment-transaction objects of the provided program.

Description: This API endpoint allows a user to retrieve a list of program's payment transactions for the selected period.

HTTP Request

GET https://api.hackerone.com/api/v1/programs/{id}/billing/transactions

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
month The month of the transaction period. Default: the current month No Integer
year The year of the transaction period. Default: the current year No Integer

Users

Get User

Read a user

curl "https://api.hackerone.com/v1/users/fransrosen" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "id": "1634",
  "username": "fransrosen",
  "name": "Frans Rosén",
  "reputation": 1337,
  "disabled": false,
  "signal": 7.0,
  "impact": 30.0,
  "created_at": "2015-13-37T04:05:06.000Z",
  "participating_programs": {
     "data": [{
       "id": "1337",
       "type":"program",
       "attributes": {
         "handle": "security",
         "created_at": "2014-13-37T04:05:06.000Z",
         "updated_at": "2014-13-37T04:05:06.000Z"
       }
      }]
  }
}

Description: A user object can be fetched by providing the username of the given user. When the request is successful, the API will respond with a user object.

HTTP Request

GET https://api.hackerone.com/v1/users/{username}

URI Parameters

Name Description Required Type
username The HackerOne username of the user. Yes String

Objects

The following section contains a complete reference of all the objects that can be returned through the API. Objects that have been explained earlier in this documentation are not included. The objects in this section are never top level resources by themselves and will only be returned as sub resources.

All objects are made up of an id and a type attribute. With those, additional attributes and relationships can be specified. An example how the data schema looks like, take a look at the response structure or the response object. Additional reading can be done at jsonapi.org.

User

User object

{
  "id": "1337",
  "type": "user",
  "attributes": {
    "username": "api-example",
    "name": "API Example",
    "disabled": false,
    "created_at": "2016-02-02T04:05:06.000Z",
    "profile_picture": {
      "62x62": "/assets/avatars/default.png",
      "82x82": "/assets/avatars/default.png",
      "110x110": "/assets/avatars/default.png",
      "260x260": "/assets/avatars/default.png"
    }
  }
}

User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account.

Attributes

Name Description Required Type
disabled Indicates if the user is disabled. Yes Boolean
username The username of the user. Usernames are unique and scoped under the same namespace as program handles. Yes String
name The name of the user. A name may be empty and is free-format. Yes String
profile_picture An object that holds URLs to different profile picture sizes. Yes Object
profile_picture/62x62 Yes String
profile_picture/82x82 Yes String
profile_picture/110x110 Yes String
profile_picture/260x260 Yes String
bio The user's biography, as provided by the user. No String
website The user's website, as provided by the user. No String
location The user's location, as provided by the user. No String
reputation The reputation of the user. Read more about how this number is calculated here. This attribute is only included in the reporter relationship of a report object. No Number
signal The signal of the user. This number ranges from -10 to 7. The closer to 7, the higher the average submission quality of the user. This attribute is only included in the reporter relationship of a report object. Learn more about how this number is calculated here. No Number
impact The impact of the user. This number ranges from 0 to 50. The closer to 50, the higher the average severity of the user's reports is. This attribute is only included in the reporter relationship of a report object. Learn more about how this number is calculated here. No Number
hackerone_triager Indicates if the user is a hackerone triager. No Boolean
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date

Relationships

Name Description Required Type
participating_programs List of private programs that you manage where this user is invited to. This attribute is only included when making use of the User>Read endpoint. No Object[]

Bounty

Bounty object

{
  "id": "1337",
  "type": "bounty",
  "attributes": {
    "amount": "500.00",
    "bonus_amount": "50.00",
    "created_at": "2016-02-02T04:05:06.000Z"
  }
}

When a program pays a bounty to the hacker, a bounty object is created. A report may contain multiple bounty objects, one for each time a bounty was awarded. The hacker that reported the vulnerability is the user that received the bounty.

Attributes

Name Description Required Type
amount Amount in USD. No String
bonus_amount Bonus amount in USD. No String
awarded_amount Amount in awarded currency. No String
awarded_bonus_amount Bonus amount in awarded currency. No String
awarded_currency The currency used to award the bounty and bonus. No String
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date

Payment Transaction

Payment transaction object

{
  "id": 10,
  "activity_date": "2019-09-25T04:22:42.686Z",
  "activity_description": "Bounty for report #9",
  "bounty_award": "1000.00",
  "bounty_fee": "200.00",
  "debit_or_credit_amount": "-1200.00",
  "balance": "-1200.00",
  "report_id": 9,
  "report_url": "http://hackerone.com/reports/9"
}

A Transaction object represents the information about the program payment transaction.

Attributes

Name Description Required Type
id The unique ID of the transaction. Yes Integer
activity_date The date and time of the activity. Formatted according to ISO 8601. Yes Date
activity_description The description of the activity. Yes String
bounty_award The amount of awarded bounty. Yes String
bounty_fee The HackerOne bounty fee. Yes String
debit_or_credit_amount The amount that's debited or credited from your balance No String
balance The program's balance after this transaction Yes String
report_id The id of the report with the awarded bounty. Yes Integer
report_url The URL of the report with the awarded bounty. Yes String

Weakness

Weakness object

{
  "id": "1337",
  "type": "weakness",
  "attributes": {
    "name": "Cross-Site Request Forgery (CSRF)",
    "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
    "created_at": "2016-02-02T04:05:06.000Z",
    "external_id": "cwe-352"
  }
}

A Weakness object represents the type of weakness the hacker submitted to a program. The weakness was initially provided by the hacker, but may be reviewed and corrected by the program.

Attributes

Name Description Required Type
name The name of the weakness. Yes String
description The raw description of the weakness. Markdown is not parsed. Yes String
external_id The weakness' external reference to CWE or CAPEC. No String
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date

Structured Scope

StructuredScope object

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "url",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

A StructuredScope object represents an asset defined by the program. The scope on a report was initially provided by the hacker, but may be reviewed and corrected by the program.

Name Description Possible Values Required Type
asset_identifier The identifier of the asset. Yes String
asset_type The type of the asset. Yes String
eligible_for_bounty If the asset is eligible for bounty. Yes Boolean
eligible_for_submission If the asset is eligible for submission. Yes Boolean
instruction The raw intruction of the asset provided by the program. Markdown is not parsed. No String
confidentiality_requirement A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. none
low
medium
high
No String
integrity_requirement A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. none
low
medium
high
No String
availability_requirement A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. none
low
medium
high
No String
max_severity The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). none
low
medium
high
critical
Yes String
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date
updated_at The date and time the object was updated. Formatted according to ISO 8601. Yes Date
reference The customer defined reference identifier or tag of the asset. No Date

Severity

Severity object

{
  "id": "57",
  "type": "severity",
  "attributes": {
    "rating": "high",
    "author_type": "User",
    "user_id": 1337,
    "created_at": "2016-02-02T04:05:06.000Z",
    "score": 8.7,
    "attack_complexity": "low",
    "attack_vector": "adjacent",
    "availability": "high",
    "confidentiality": "low",
    "integrity": "high",
    "privileges_required": "low",
    "user_interaction": "required",
    "scope": "changed"
  }
}

A severity object represents the severity of a report, if provided by the reporter or a team member.

Attributes

Name Description Possible Values Required Type
rating The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. none
low
medium
high
critical
Yes String
author_type The involved party that provided the severity. User
Team
Yes String
user_id The unique id of the user who created the object. Yes Integer
score The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). Only present if CVSS metrics were provided. No Number
attack_vector A CVSS metric that reflects the context by which vulnerability exploritation is possible. network
adjacent
local
physical
No String
attack_complexity A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. low
high
No String
privileges_required A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. none
low
high
No String
user_interaction A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component. none
required
No String
scope A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component. unchanged
changed
No String
confidentiality A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. none
low
high
No String
integrity A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability. none
low
high
No String
availability A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability. none
low
high
No String
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date

Attachment

Attachment object

{
  "id": "1337",
  "type": "attachment",
  "attributes": {
    "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
    "created_at": "2016-02-02T04:05:06.000Z",
    "file_name": "root.rb",
    "content_type": "text/x-ruby",
    "file_size": 2871
  }
}

Users can add attachments when they file a report or when they interact with a report. Attachments may contain dangerous proof of concepts and should be handled with caution.

Attributes

Name Description Required Type
file_name The file name of the attachment. Yes String
content_type The content type of the attachment. The content type is derived from the contents and extension of the file. Yes String
file_size The file size of the attachment in bytes. Yes Integer
expiring_url A URL to download the attachment. The URL will automatically expire after 60 minutes. Yes String
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date

Report Summary

Report Summary object

{
  "id": "1337",
  "type": "report-summary",
  "attributes": {
    "content": "There was a cross-site scripting vulnerability in our login form.",
    "category": "team",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z"
  },
  "relationships": {
    "user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Before a report is disclosed, the program and the hacker may add a summary. A report can have only one summary per party. Unlike activities, summaries can be edited through HackerOne indefinitely.

Attributes

Name Description Possible Values Required Type
content The raw summary of the report. Markdown is not parsed. Yes String
category The involved party that wrote the summary. researcher
team
Yes String
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date
updated_at The date and time the object was last updated. Formatted according to ISO 8601. Yes Date

Relationships

Name Description Required Type
user The author that added the summary to the report. Yes user

Group

Group object

{
  "id": "1337",
  "type": "group",
  "attributes": {
    "name": "Admin",
    "created_at": "2016-02-02T04:05:06.000Z",
    "permissions": [
      "user_management",
      "report_management"
    ]
  }
}

A group represents a set of users. A group is used to delegate permissions for the users in it. It can also be assigned to one or multiple reports.

Attributes

Name Description Required Type
name The name of the group. Yes String
permissions The permissions of the group. Possible values are reward_management, program_management, user_management, and report_management. Yes String[]
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date

Member

A member represents a user that is part of a program. A member is used to delegate permissions for the users attached to it.

Attributes

Name Description Required Type
permissions The permissions of the member. Possible values are reward_management, program_management, user_management, and report_management. Yes String[]
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date

Relationships

Name Description Required Type
user The user that is part of the program. Yes user

Swag

Swag object

{
  "id": "1337",
  "type": "swag",
  "attributes": {
    "sent": false,
    "created_at": "2016-02-02T04:05:06.000Z"
  },
  "relationships": {
    "user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "address": {
      "data": {
        "id": "1337",
        "type": "address",
        "attributes": {
          "name": "Jane Doe",
          "street": "535 Mission Street",
          "city": "San Francisco",
          "postal_code": "94105",
          "state": "CA",
          "country": "United States of America",
          "created_at": "2016-02-02T04:05:06.000Z",
          "tshirt_size": "W_Large",
          "phone_number": "+1-510-000-0000"
        }
      }
    }
  }
}

Besides a financial reward, which is called a bounty, programs can award swag. Report objects may contain multiple swag objects, one for each time swag was awarded.

Attributes

Name Description Required Type
sent Indicates whether the swag has been marked as sent. Swag can be marked as sent through the HackerOne interface. Yes Boolean
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date

Relationships

Name Description Required Type
address The user's address to send the swag to. No Address

Address

Address object

{
  "id": "1337",
  "type": "address",
  "attributes": {
    "name": "Jane Doe",
    "street": "535 Mission Street",
    "city": "San Francisco",
    "postal_code": "94105",
    "state": "CA",
    "country": "United States of America",
    "created_at": "2016-02-02T04:05:06.000Z",
    "tshirt_size": "W_Large",
    "phone_number": "+1-510-000-0000"
  }
}

This object contains the postal address for the delivery of awarded swag.

Attributes

Name Description Possible Values Required Type
name Yes String
street Yes String
city Yes String
postal_code Yes String
state Yes String
country Yes String
tshirt_size No String
phone_number No String
tshirt_size M_Small
M_Medium
M_Large
M_XLarge
M_XXLarge
W_Small
W_Medium
W_Large
W_XLarge
W_XXLarge
No String
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date

Activity

These objects represent an action that was performed on a report. Activities come in many sub types that can have additional attributes.

Attributes

Name Description Required Type
report_id The report associated with the activity. No String
message The comment associated with the activity. May be updated through the HackerOne interface. Markdown is not parsed. Yes String
internal Indicates if this activity can only be read by Program users and external users that were invited to the report. Yes Boolean
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date
updated_at The date and time the object was last updated. Formatted according to ISO 8601. Yes Date

Relationships

Name Description Required Type
actor The author of the activity. No User / Program
attachments A list of Attachment objects added to the activity. No Attachment

Activity Agreed On Going Public

Inherits attributes and relationships from the Activity object.

Activity Agreed on Going Public object

{
  "id": "1337",
  "type": "activity-agreed-on-going-public",
  "attributes": {
    "message": "Agreed On Going Public!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false,
    "disclosed_at": "2016-02-02T15:26:47.000Z"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Activity Bounty Awarded

Activity Bounty Awarded object

{
  "id": "1337",
  "type": "activity-bounty-awarded",
  "attributes": {
    "message": "Bounty Awarded!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false,
    "bounty_amount": "500",
    "bonus_amount": "50"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "program",
        "attributes": {
          "handle": "security",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z"
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
bounty_amount No String
bonus_amount No String

Activity Bounty Suggested

Activity Bounty Suggested object

{
  "id": "1337",
  "type": "activity-bounty-suggested",
  "attributes": {
    "message": "Bounty Suggested!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false,
    "bounty_amount": "500",
    "bonus_amount": "50"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
bounty_amount No String
bonus_amount No String

Activity Bug Cloned

Activity Bug Cloned object

{
  "id": "1337",
  "type": "activity-bug-cloned",
  "attributes": {
    "message": "Bug Cloned!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": true,
    "original_report_id": 1336
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
original_report_id Yes Integer

Activity Bug Duplicate

Activity Bug Duplicate object

{
  "id": "1337",
  "type": "activity-bug-duplicate",
  "attributes": {
    "message": "Bug Duplicate!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false,
    "original_report_id": 1336
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
original_report_id No Integer

Activity Bug Informative

Activity Bug Informative object

{
  "id": "1337",
  "type": "activity-bug-informative",
  "attributes": {
    "message": "Bug Informative!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Bug Needs More Info

Activity Bug Needs More Info object

{
  "id": "1337",
  "type": "activity-bug-needs-more-info",
  "attributes": {
    "message": "Bug Needs More Info!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Bug New

Activity Bug New object

{
  "id": "1337",
  "type": "activity-bug-new",
  "attributes": {
    "message": "Bug New!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Bug Not Applicable

Activity Bug Not Applicable object

{
  "id": "1337",
  "type": "activity-bug-not-applicable",
  "attributes": {
    "message": "Bug Not Applicable!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Bug Inactive

Activity Bug Inactive object

{
  "id": "1337",
  "type": "activity-bug-inactive",
  "attributes": {
    "message": "Bug closed automatically due to inactivity in the last 30 days.",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": null
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Bug Reopened

Activity Bug Reopened object

{
  "id": "1337",
  "type": "activity-bug-reopened",
  "attributes": {
    "message": "Bug Reopened!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Bug Resolved

Activity Bug Resolved object

{
  "id": "1337",
  "type": "activity-bug-resolved",
  "attributes": {
    "message": "Bug Resolved!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Bug Spam

Activity Bug Spam object

{
  "id": "1337",
  "type": "activity-bug-spam",
  "attributes": {
    "message": "Bug Spam!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Bug Triaged

Activity Bug Triaged object

{
  "id": "1337",
  "type": "activity-bug-triaged",
  "attributes": {
    "message": "Bug Triaged!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Changed Scope

Activity Changed Scope object

{
  "id": "1337",
  "type": "activity-changed-scope",
  "attributes": {
    "message": "A different scope has added",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "old_scope": {
      "data": {
        "id": "1337",
        "type": "structured_scope",
        "attributes": {
          "asset_identifier": "www.example.com",
          "asset_type": "url",
          "confidentiality_requirement": null,
          "integrity_requirement": null,
          "availability_requirement": null,
          "max_severity": "critical",
          "created_at": "2015-02-02T04:05:06.000Z",
          "updated_at": "2016-05-02T04:05:06.000Z",
          "instruction": "not eligible for bounty",
          "eligible_for_bounty": false,
          "eligible_for_submission": true
        }
      }
    },
    "new_scope": {
      "data": {
        "id": "1338",
        "type": "structured_scope",
        "attributes": {
          "asset_identifier": "api.example.com",
          "asset_type": "url",
          "confidentiality_requirement": "high",
          "integrity_requirement": "high",
          "availability_requirement": "high",
          "max_severity": "critical",
          "created_at": "2015-02-02T04:05:06.000Z",
          "updated_at": "2016-05-02T04:05:06.000Z",
          "instruction": null,
          "eligible_for_bounty": true,
          "eligible_for_submission": true
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
old_scope Yes Structured Scope
new_scope Yes Structured Scope

Activity Comment

Activity Comment object

{
  "id": "1337",
  "type": "activity-comment",
  "attributes": {
    "message": "Comment!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "attachments": {
      "data": [
        {
          "id": "1337",
          "type": "attachment",
          "attributes": {
            "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
            "created_at": "2016-02-02T04:05:06.000Z",
            "file_name": "root.rb",
            "content_type": "text/x-ruby",
            "file_size": 2871
          }
        }
      ]
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Comments Closed

Activity Comments Closed object

{
  "id": "1337",
  "type": "activity-comments-closed",
  "attributes": {
    "message": "Comments Closed!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity External User Invitation Cancelled

Activity External User Invitation Cancelled object

{
  "id": "1337",
  "type": "activity-external-user-invitation-cancelled",
  "attributes": {
    "message": "External User Invitation Cancelled!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": true,
    "email": "hacker@example.com"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
email No String

Activity External User Invited

Activity External User Invited object

{
  "id": "1337",
  "type": "activity-external-user-invited",
  "attributes": {
    "message": "External User Invited!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false,
    "email": "hacker@example.com"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
email No String

Activity External User Joined

Activity External User Joined object

{
  "id": "1337",
  "type": "activity-external-user-joined",
  "attributes": {
    "message": "External User Joined!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false,
    "duplicate_report_id": 10
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
duplicate_report_id No Integer

Activity External User Removed

Activity External User Removed object

{
  "id": "1337",
  "type": "activity-external-user-removed",
  "attributes": {
    "message": "External User Removed!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": true
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "removed_user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
removed_user Yes User

Activity Group Assigned To Bug

Activity Group Assigned To Bug object

{
  "id": "1337",
  "type": "activity-group-assigned-to-bug",
  "attributes": {
    "message": "Group Assigned To Bug!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": true
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "group": {
      "data": {
        "id": "1337",
        "type": "group",
        "attributes": {
          "name": "Admin",
          "created_at": "2016-02-02T04:05:06.000Z",
          "permissions": [
            "user_management",
            "report_management"
          ]
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
group Yes Group

Activity Hacker Requested Mediation

Activity Hacker Requested Mediation object

{
  "id": "1337",
  "type": "activity-hacker-requested-mediation",
  "attributes": {
    "message": "Hacker Requested Mediation!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Manually Disclosed

Activity Manually Disclosed object

{
  "id": "1337",
  "type": "activity-manually-disclosed",
  "attributes": {
    "message": "Manually Disclosed!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Mediation Requested

Activity Mediation Requested object

{
  "id": "1337",
  "type": "activity-mediation-requested",
  "attributes": {
    "message": "Mediation Requested!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": true
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Not Eligible For Bounty

Activity Not Eligible For Bounty object

{
  "id": "1337",
  "type": "activity-not-eligible-for-bounty",
  "attributes": {
    "message": "Not Eligible For Bounty!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Reference Id Added

Activity Reference Id Added object

{
  "id": "1337",
  "type": "activity-reference-id-added",
  "attributes": {
    "message": "Reference Id Added!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": true,
    "reference": "reference",
    "reference_url": "https://example.com/reference"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
reference Yes String
reference_url Yes String

Activity Report Became Public

Activity Report Became Public object

{
  "id": "1337",
  "type": "activity-report-became-public",
  "attributes": {
    "message": "Report Became Public!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "program",
        "attributes": {
          "handle": "security",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z"
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Report Title Updated

Activity Report Title Updated object

{
  "id": "1337",
  "type": "activity-report-title-updated",
  "attributes": {
    "message": "Report Title Updated!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false,
    "old_title": "xss",
    "new_title": "XSS in login form"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Attributes

Name Description Required Type
old_title Yes String
new_title Yes String

Activity Report Vulnerability Types Updated

Activity Report Vulnerability Types Updated object

{
  "id": "1337",
  "type": "activity-report-vulnerability-types-updated",
  "attributes": {
    "message": "Report Vulnerability Types Updated!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "old_weakness": {
      "data": {
        "id": "1337",
        "type": "weakness",
        "attributes": {
          "name": "Cryptographic Issues - Generic",
          "description": "Weaknesses in this category are related to the use of cryptography.",
          "created_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "new_weakness": {
      "data": {
        "id": "1338",
        "type": "weakness",
        "attributes": {
          "name": "Use of Hard-coded Cryptographic Key",
          "description": "The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.",
          "created_at": "2016-02-02T04:05:06.000Z"
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Relationships

Name Description Required Type
old_weakness The weakness that was set before the change Yes Weakness
new_weakness The weakness that was set after the change Yes Weakness

Activity Report Severity Updated

Activity Report Severity Updated object

{
  "id": "1337",
  "type": "activity-report-severity-updated",
  "attributes": {
    "message": "Report Severity Updated!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Swag Awarded

Activity Swag Awarded object

{
  "id": "1337",
  "type": "activity-swag-awarded",
  "attributes": {
    "message": "Swag Awarded!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "swag": {
      "data": {
        "id": "1337",
        "type": "swag",
        "attributes": {
          "sent": false,
          "created_at": "2016-02-02T04:05:06.000Z"
        },
        "relationships": {
          "user": {
            "data": {
              "id": "1337",
              "type": "user",
              "attributes": {
                "username": "api-example",
                "name": "API Example",
                "disabled": false,
                "created_at": "2016-02-02T04:05:06.000Z",
                "profile_picture": {
                  "62x62": "/assets/avatars/default.png",
                  "82x82": "/assets/avatars/default.png",
                  "110x110": "/assets/avatars/default.png",
                  "260x260": "/assets/avatars/default.png"
                }
              }
            }
          },
          "address": {
            "data": {
              "id": "1337",
              "type": "address",
              "attributes": {
                "name": "Jane Doe",
                "street": "535 Mission Street",
                "city": "San Francisco",
                "postal_code": "94105",
                "state": "CA",
                "country": "United States of America",
                "created_at": "2016-02-02T04:05:06.000Z",
                "tshirt_size": "M_Large",
                "phone_number": "+1-510-000-0000"
              }
            }
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Relationships

Name Description Required Type
swag Yes Swag

Activity User Assigned To Bug

Activity User Assigned To Bug object

{
  "data": {
    "id": "1337",
    "type": "activity-user-assigned-to-bug",
    "attributes": {
      "message": "User Assigned To Bug!",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "internal": true
    },
    "relationships": {
      "actor": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "assigned_user": {
        "data": {
          "id": "1336",
          "type": "user",
          "attributes": {
            "username": "other_user",
            "name": "Other User",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Relationships

Name Description Required Type
assigned_user Yes User

Activity User Banned From Program

Activity User Banned From Program object

{
  "id": "1337",
  "type": "activity-user-banned-from-program",
  "attributes": {
    "message": "User Banned From Program!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": true
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "removed_user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Relationships

Name Description Required Type
removed_user Yes User

Activity Bug Filed

Activity Bug Filed object

{
  "id": "7331",
  "type": "activity-bug-filed",
   "attributes": {
     "message": "",
     "created_at": "2016-02-02T04:05:06.000Z",
     "updated_at": "2016-02-02T04:05:06.000Z",
     "internal": false
   },
   "relationships": {
     "actor": {
       "data": {
         "type": "user",
         "id": "1337",
         "attributes": {
           "username": "api-example",
           "name": "API Example",
           "disabled": false,
           "created_at": "2017-11-09T10:52:25.443Z",
           "profile_picture": {
             "62x62": "/assets/avatars/default.png",
             "82x82": "/assets/avatars/default.png",
             "110x110": "/assets/avatars/default.png",
             "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity Program Inactive

Activity Program Inactive object

{
  "id": "1337",
  "type": "activity-program-inactive",
  "attributes": {
    "message": "Closed report and changed status to Informative due to inactive state of program.",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": null
    }
  }
}

Inherits attributes and relationships from the Activity object.

Activity User Completed Retest

Activity User Completed Retest object

{
  "id": "1337",
  "type": "activity-user-completed-retest",
  "attributes": {
    "message": "User Completed Retest!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Inherits attributes and relationships from the Activity object.

Audit Log Item

Audit Log Item object

{
  "id": "1",
  "type": "audit-log-item",
  "attributes": {
    "log": "\"@member\" invited \"someone@example.com\".",
    "event": "invitations.team_members.create",
    "source": "User#1",
    "subject": "Invitation#1",
    "user_agent": "Chrome/11.0",
    "country": "US",
    "parameters": "{\"identifier\":\"jobert\"}",
    "created_at": "2019-05-15T04:05:06.000Z"
  }
}

An audit log item contains information to determine who did what in a program.

Attributes

Name Description Required Type
log A human-readable log entry describing what happened. Yes String
event The event that created the audit log item. Yes String
source A unique identifier that indicates the source of the audit log item. Yes String
subject A unique identifier that indicates the subject of the audit log item. Yes String
user_agent An optional string that contains the user agent specified by the client. No String
country An optional ISO 3166 country code. XX means that the country couldn't be found. T1 is a Tor node. No String
parameters A serialized JSON object containing the data that was used to construct the audit log. Yes Object
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date
updated_at The date and time the object was last updated. Formatted according to ISO 8601. Yes Date

Trigger

Trigger object

{
    "id": "1337",
    "type": "trigger",
    "attributes": {
        "title": "Example Trigger"
    }
}

Triggers are a way to show a pop-up message or to automatically reply to reports based on their title or content.

Attributes

Name Description Required Type
title The name of the trigger. Yes String

Custom Field Value

Custom Field Value object

{
  "id": "1337",
  "type": "custom-field-value",
  "attributes": {
    "value": "Infrastructure",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z"
  }
}

A Custom Field Value object contains the value set for a particular Custom Field Attribute.

Attributes

Name Description Required Type
value The attribute's value. Yes String
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date
updated_at The date and time the object was last updated. Formatted according to ISO 8601. Yes Date

Relationships

Name Description Required Type
custom_field_attribute The Custom Field Attribute associated with the Custom Field Value object. Yes custom-field-attribute

Custom Field Attribute

Custom Field Attribute object

{
  "id": "1337",
  "type": "custom-field-attribute",
  "attributes": {
    "label": "Team",
    "configuration": null,
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "archived_at": null
  }
}

A Custom Field Attribute is an object containing the label and configuration of a Custom Field created for a Report or Program.

Attributes

Name Description Required Type
label The attribute's label. Yes String
configuration An optional configuration for the attribute's type. No String
created_at The date and time the object was created. Formatted according to ISO 8601. Yes Date
updated_at The date and time the object was last updated. Formatted according to ISO 8601. Yes Date
archived_at The date and time the object was archived. Formatted according to ISO 8601. No Date

Custom Field Input

Custom Type input object

{
  "id__eq": "1",
  "value__eq": "Infrastructure",
}

An input to query for Report types by Custom Fields IDs and values.

Attributes

Name Description Required Type
id__eq The ID of the Custom Field Attribute that needs to be filtered by. Yes String
value__eq The Value of the corresponding Custom Field Value object that needs to be filtered by. Wildcards (% and _) can be used to loosely match on the stored value of the Custom Field. Yes String