Core Resources
Activities
Query Activities
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/incremental/activities?handle=string" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/incremental/activities',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
params={
'handle': 'string'
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/incremental/activities',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/incremental/activities?handle=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/incremental/activities?handle=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/incremental/activities", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"type": "activity-bug-filed",
"id": "1337",
"attributes": {
"report_id": "99900",
"message": "",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2017-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"type": "user",
"id": "7331",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
],
"meta": {
"max_updated_at": "2017-02-02T04:05:06.000Z"
},
"links": {
"self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
"next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
}
}
GET /incremental/activities
This endpoint allows you to fetch all activities of your program incrementally by time.
This feature has multiple usages:
- Detecting a new report or a new activity on a report using a single endpoint.
- Being able to take actions on reports based on user activity. For example, automatically assigning a report after triaging.
- Monitoring activities on program.
The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.
Note, the request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| handle | query | string | true | The HackerOne handle of the program whose activities you wish to retrieve. |
| updated_at_after | query | string | false | A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. |
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Programs
Get Your Programs
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/me/programs" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/me/programs',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/me/programs',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/me/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/me/programs',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/programs", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2017-01-01T08:00:00.000Z",
"updated_at": "2017-02-17T04:34:15.910Z"
}
}
],
"links": {}
}
GET /me/programs
This API endpoint allows you to query the program objects that you
are a member of.
The groups and members relationships are not included in the response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Get Audit Log
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/audit_log" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/audit_log',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/audit_log',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/audit_log");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/audit_log',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/audit_log", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "1",
"type": "audit-log-item",
"attributes": {
"log": "\"@member\" invited \"someone@example.com\".",
"event": "invitations.team_members.create",
"source": "User#1",
"subject": "Invitation#1",
"user_agent": "Chrome/11.0",
"country": "US",
"parameters": "{\"identifier\":\"jobert\"}",
"created_at": "2019-05-15T04:05:06.000Z"
}
}
}
GET /programs/{id}/audit_log
Returns a paginated list of the audit log items of the provided program.
This API endpoint allows a user to consume all audit log items that have been created for
a particular program.
Required permission: Program Management for consuming the audit log items. You can
manage the permissions of your API users through your program's settings. Insufficient
permissions will result in a 403 Forbidden response.
Note: this feature is currently in beta and has not been enabled for all programs.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Get Your Programs Balance
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/balance" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/billing/balance',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/billing/balance',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/balance");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/billing/balance',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/balance", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "1337",
"type": "program-balance",
"attributes": {
"balance": "1500.00"
}
}
}
GET /programs/{id}/billing/balance
This API endpoint allows a user to retrieve the current balance for a particular program.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Get Payment Transactions
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/transactions" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/transactions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/billing/transactions',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/transactions", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": 10,
"bounty_award": "1000.00",
"bounty_fee": "200.00",
"activity_date": "2019-09-25T04:22:42.686Z",
"activity_description": "Bounty for report #9",
"report_id": 9,
"report_url": "http://hackerone.com/reports/9",
"debit_or_credit_amount": "-1200.00",
"balance": "-1200.00"
}
GET /programs/{id}/billing/transactions
This API endpoint allows a user to retrieve a list of program's payment transactions for
the selected period. When the request is successful, the API will respond with paginated
payment transaction objects of the provided program.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| month | query | integer | false | The month of the transaction period. Default: the current month |
| year | query | integer | false | The year of the transaction period. Default: the current year |
Award Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/bounties" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/bounties',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/bounties',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/bounties',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/bounties", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"data": {
"id": "1",
"type": "bounty",
"attributes": {
"amount": "100.00",
"bonus_amount": "0.00",
"awarded_amount": "100.00",
"awarded_bonus_amount": "0.00",
"awarded_currency": "USD",
"created_at": "2017-02-14T23:07:24.252Z",
"invitations": [
{
"id": "10",
"recipient": "hacker@hackerone.com",
"claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
}
]
}
}
}
POST /programs/{id}/bounties
To award a bounty, this API endpoint can be used. When the API call is successful,
a bounty object will be returned.
Required permission: Reward Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| data | body | object | true | This object contains the information required to create a bounty. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» recipient | body | string | false | The email address of the recipient. When the email address is provided, |
| »» amount | body | number | true | The amount that should be awarded. |
| »» reference | body | string | true | An internal reference attached to the report that makes searching or filtering in the future easy. |
| »» title | body | string | true | The title of the security vulnerability that was reported to you. |
| »» currency | body | string | true | none |
| »» severity_rating | body | severity-ratings | false | none |
Detailed descriptions
»» recipient: The email address of the recipient. When the email address is provided, an email will be sent to the recipient to claim the bounty. When the email address is not provided, you can use the claim URL in the response to notify the recipient yourself. When the user does not have an account yet with HackerOne, it'll be onboarded before it can claim the reward. Users that already have an account, will benefit from collecting the payout easily through HackerOne and get additional reputation points to showcase on their HackerOne profile.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | bounty |
| »» currency | USD |
| »» severity_rating | none |
| »» severity_rating | low |
| »» severity_rating | medium |
| »» severity_rating | high |
| »» severity_rating | critical |
Get Common Responses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/common_responses" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/common_responses',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/common_responses',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/common_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/common_responses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/common_responses", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "108878",
"attributes": {
"title": "Vulnerability Scanner False Positive",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
}
},
{
"id": "108886",
"attributes": {
"title": "X-XSS-Protection",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
}
},
{
"id": "108891",
"attributes": {
"title": "Video Without Content",
"message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
}
}
],
"links": {}
}
GET /programs/{id}/common_responses
Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Upload Policy Attachments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy_attachments" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy_attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/policy_attachments',
{
method: 'POST',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/policy_attachments", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
POST /programs/{id}/policy_attachments
Policy attachments can be uploaded by sending a POST request to the program policy
attachments endpoint. When the API call is successful, an attachment object will be
returned.
You can use the attachment ID to display the attachment on your policy page. For example,
if the attachment ID is 1337, then include {F1337} in your policy to display the
attachment.
Required permission: Program Management for uploading policy attachments. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Update Policy
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{id}/policy',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{id}/policy',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/policy',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{id}/policy", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "12",
"type": "program",
"attributes": {
"handle": "security",
"policy": "...",
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2019-08-26T13:53:24.807Z"
}
}
}
PUT /programs/{id}/policy
Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| data | body | object | true | This object contains the information to update the policy of a program. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» policy | body | string | true | The new policy that will be set on the program. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | program-policy |
Get Reporters
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/reporters" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/reporters',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/reporters',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/reporters',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/reporters", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "1337",
"type": "user",
"attributes": {
"username": "awesome-hacker",
"name": "Awesome Hacker",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
],
"links": {}
}
GET /programs/{id}/reporters
This resource allows you to retrieve a list of all users that ever
submitted a report to the program.
Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Get Structured Scopes
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
},
{
"id": "58",
"type": "structured-scope",
"attributes": {
"asset_identifier": "www.example.com",
"asset_type": "URL",
"confidentiality_requirement": "low",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2017-02-03T04:05:10.000Z",
"updated_at": "2018-05-02T04:05:10.000Z",
"instruction": "Instruction text",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001002"
}
}
],
"links": {}
}
GET /programs/{id}/structured_scopes
Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scope objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Add Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
POST /programs/{id}/structured_scopes
This API endpoint can be used to add an asset to a program. When the API request is successful, a structured scope object will be returned. Please refer to our platform documentation to get more information on the different asset types.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| data | body | object | true | This object contains the information to create a structured scope. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» asset_identifier | body | string | true | The identifier of the asset. |
| »» asset_type | body | string | true | The type of the asset. |
| »» eligible_for_bounty | body | boolean | false | If the asset is eligible for bounty. |
| »» eligible_for_submission | body | boolean | false | If the asset is eligible for submission. |
| »» instruction | body | string | false | The raw instruction of the asset provided by the program. Markdown is not parsed. |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. |
| »» max_severity | body | severity-ratings | false | none |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | structured-scope |
| »» asset_type | CIDR |
| »» asset_type | URL |
| »» asset_type | APPLE_STORE_APP_ID |
| »» asset_type | TESTFLIGHT |
| »» asset_type | OTHER_IPA |
| »» asset_type | GOOGLE_PLAY_APP_ID |
| »» asset_type | OTHER_APK |
| »» asset_type | WINDOWS_APP_STORE_APP_ID |
| »» asset_type | SOURCE_CODE |
| »» asset_type | DOWNLOADABLE_EXECUTABLES |
| »» asset_type | HARDWARE |
| »» asset_type | OTHER |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | medium |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | medium |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | medium |
| »» availability_requirement | high |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
Update Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
PUT /programs/{program_id}/structured_scopes/{id}
This API endpoint can be used to update an asset of a program. When the API request is successful, a structured scope object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the structured scope. |
| data | body | object | true | This object contains the information to update a structured scope. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» asset_identifier | body | string | true | The identifier of the asset. |
| »» eligible_for_bounty | body | boolean | false | If the asset is eligible for bounty. |
| »» eligible_for_submission | body | boolean | false | If the asset is eligible for submission. |
| »» instruction | body | string | false | The raw instruction of the asset provided by the program. Markdown is not parsed. |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. |
| »» max_severity | body | severity-ratings | false | none |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | structured-scope |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | medium |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | medium |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | medium |
| »» availability_requirement | high |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
Archive Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
-X DELETE \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
DELETE /programs/{program_id}/structured_scopes/{id}
This API endpoint can be used to archive an asset of a program. When the API request is successful, a structured scope object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the structured scope. |
Get Awarded Swag
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/swag" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/swag',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/swag',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/swag");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/swag',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/swag", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
},
{
"id": "7",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2019-08-20T03:47:04.163Z"
},
"relationships": {
"user": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "johndoe",
"name": "John Doe",
"disabled": false,
"created_at": "2017-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "John Smith",
"street": "535 Mission Street",
"city": "New York",
"postal_code": "10001",
"state": "NY",
"country": "United States of America",
"created_at": "2017-01-03T07:08:09.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-212-000-0000"
}
}
}
}
}
],
"links": {}
}
GET /programs/{id}/swag
Awarded swag can be fetched by sending a GET request to the swag endpoint. When the request
is successful, the API will respond with paginated swag objects.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Mark Swag as Sent
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "swag",
"attributes": {
"sent": true
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "swag",
"attributes": {
"sent": true
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "swag",
"attributes": {
"sent": true
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/swag/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"swag\",\n \"attributes\": {\n \"sent\": true\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"swag\",\n \"attributes\": {\n \"sent\": true\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"swag\",\n \"attributes\": {\n \"sent\": true\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
}
PUT /programs/{program_id}/swag/{id}
The status of swag can be updated to "sent" through this endpoint. When the request is
successful, the API will respond with a swag object.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. |
| id | path | integer | true | The ID of the swag. |
| data | body | object | true | This object contains the information to change the status of swag. |
| » type | body | string | true | The public message posted on the report. Always required. |
| » attributes | body | object | true | none |
| »» sent | body | boolean | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | swag |
| »» sent | true |
Get Thanks to Hackers
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/thanks" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/thanks',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/thanks',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/thanks");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/thanks',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/thanks", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"type": "thanks-item",
"attributes": {
"total_report_count": 1,
"reputation": 7,
"recognized_report_count": 1,
"username": "lorem",
"user_id": "55"
}
},
{
"type": "thanks-item",
"attributes": {
"total_report_count": 1,
"reputation": 22,
"recognized_report_count": 1,
"username": "ipsum",
"user_id": "56"
}
},
{
"type": "thanks-item",
"attributes": {
"total_report_count": 5,
"reputation": 38,
"recognized_report_count": 3,
"username": "adam",
"user_id": "57"
}
}
],
"links": {}
}
GET /programs/{id}/thanks
This resource allows you to view customer's thanks to hackers.
Customers thanks items can be fetched by sending a GET request to the thanks endpoint. When the request is successful, the API will respond with paginated thanks items objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Get Weaknesses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/weaknesses" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/weaknesses',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/weaknesses',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/weaknesses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/weaknesses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/weaknesses", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"created_at": "2016-02-02T04:05:06.000Z",
"external_id": "cwe-352"
}
},
{
"id": "1338",
"type": "weakness",
"attributes": {
"name": "SQL Injection",
"description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
"created_at": "2016-03-02T04:05:06.000Z",
"external_id": "cwe-89"
}
}
],
"links": {}
}
GET /programs/{id}/weaknesses
This resource allows you to retrieve a list of all weaknesses of the program.
Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Get Program
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"groups": {
"data": [
{
"id": "2557",
"type": "group",
"attributes": {
"name": "Standard",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"report_management",
"reward_management"
]
}
},
{
"id": "2558",
"type": "group",
"attributes": {
"name": "Admin",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"user_management",
"program_management"
]
}
}
]
},
"members": {
"data": [
{
"id": "1339",
"type": "member",
"attributes": {
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"program_management",
"report_management",
"reward_management",
"user_management"
]
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
}
}
}
}
GET /programs/{id}
A program object can be fetched by sending a GET request
to a unique program object. When the request is successful, the API
will respond with a program object.
The following program relationships are included: groups, members, custom field attributes and policy attachments.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs |
Reports
Create Comment
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/activities" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "activity-comment",
"attributes": {
"message": "string",
"internal": true
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "activity-comment",
"attributes": {
"message": "string",
"internal": true
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/activities',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "activity-comment",
"attributes": {
"message": "string",
"internal": true
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/activities',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/activities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"activity-comment\",\n \"attributes\": {\n \"message\": \"string\",\n \"internal\": true\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"activity-comment\",\n \"attributes\": {\n \"message\": \"string\",\n \"internal\": true\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/activities',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"activity-comment\",\n \"attributes\": {\n \"message\": \"string\",\n \"internal\": true\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/activities", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"data": {
"id": "1337",
"type": "activity-comment",
"attributes": {
"message": "A fix has been deployed. Can you retest, please?",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
POST /reports/{id}/activities
Both public and internal comments can be posted with this endpoint.
Comments require a message before they will be posted. If a public comment is
posted, any user that is subscribed to the report will receive a notification
of the created comment. For internal comments, only people that are managing
the program who are subscribed the report will receive a notification.
Required permission: Report Management for posting public comments. Posting internal comments do not require any additional permissions. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information to create a comment object for the report. |
| » type | body | string | true | Type of activity. |
| » attributes | body | object | true | none |
| »» message | body | string | true | The message that will be posted. |
| »» internal | body | boolean | true | A boolean that indicates whether the comment should |
Detailed descriptions
»» internal: A boolean that indicates whether the comment should be internal or public. Internal comments are only viewable by the users that manage the program. Public comments are viewable by everyone, including the person that submitted the report.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | activity-comment |
Update Assignee
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/assignee" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"id": 0,
"type": "user",
"attributes": {
"message": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"id": 0,
"type": "user",
"attributes": {
"message": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/assignee',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"id": 0,
"type": "user",
"attributes": {
"message": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/assignee',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/assignee");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"id\": 0,\n \"type\": \"user\",\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"id\": 0,\n \"type\": \"user\",\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/assignee',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"id\": 0,\n \"type\": \"user\",\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/assignee", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": []
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"activities": {
"data": [
{
"id": "1337",
"type": "activity-user-assigned-to-bug",
"attributes": {
"message": "@member Please check this out!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": true
},
"relationships": {
"actor": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api_example_company",
"name": null,
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assigned_user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/assignee
A user or group can be assigned to a report with this endpoint.
An optional message can be specified, which will be posted as internal
comment to the report subscribers. Only users and groups that are part
of the program can be assigned. It is not possible to assign API users
to a report.
When assigning a single user to a report, that user will be automatically
subscribed to the report. In case a group is assigned to a report, all
users that are part of that group are subscribed to the report. Subscribers
will receive a notification that the report was assigned.
In case the request was successful, the API will respond with the updated
report object.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information to assign a user or group object to the report, or to clear the assignee of a report. |
| » id | body | integer | false | The ID of the user or group. Required unless the type is 'nobody' |
| » type | body | string | true | Specifies whether a user or group should be assigned, or if the assignee should be cleared. |
| » attributes | body | object | false | none |
| »» message | body | string | false | The message that will be posted to the assigned user or group. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | user |
| » type | group |
| » type | nobody |
Award Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounties" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/bounties',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/bounties',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/bounties',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/bounties", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"id": "1337",
"type": "bounty",
"attributes": {
"amount": "500.00",
"bonus_amount": "50.00",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
POST /reports/{id}/bounties
You can use this endpoint to award bounties to the reporter
of the provided report.
Required permission: Reward Management You can manage the
permissions of your API users through your program's settings.
Insufficient permissions will result in a 404 Not Found response.
In addition, your program needs to be able to award bounties and the report needs to be eligible for bounties. If either case is false, the call will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information required to create a bounty. |
| » message | body | string | true | The public message posted on the report. Always required. |
| » amount | body | number | false | The bounty award to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number and, when provided, must be equal to or greater than your minimum bounty. |
| » bonus_amount | body | number | false | The bonus amount to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number. |
Mark as Ineligible for Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-ineligible-for-bounty"
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-ineligible-for-bounty"
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-ineligible-for-bounty"
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-ineligible-for-bounty\"\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-ineligible-for-bounty\"\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-ineligible-for-bounty\"\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/ineligible_for_bounty
Marking a report as ineligible for bounty through the HackerOne API can be useful to
programmatically batch update received reports in HackerOne.
Marking a report as ineligible for bounty can be done through this endpoint. This API
endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information to mark a report as ineligible for bounty. |
| » type | body | string | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-ineligible-for-bounty |
List bounty suggestions
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounty_suggestions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "bounty",
"attributes": {
"amount": "500.00",
"bonus_amount": "50.00",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
GET /reports/{id}/bounty_suggestions
This API endpoint allows a user to retrieve a list of report's bounty suggestions.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
Create bounty suggestion
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounty_suggestions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"id": "1337",
"type": "activity-bounty-suggested",
"attributes": {
"message": "Bounty Suggested!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": true,
"bounty_amount": "500",
"bonus_amount": "50"
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
POST /reports/{id}/bounty_suggestions
You can use this endpoint to suggest bounties to the provided report.
Required permission: Reward Management OR Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | none |
| » message | body | string | true | The internal message posted on the report. Always required. Only readable by team members |
| » amount | body | integer | false | The suggested bounty award to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number, and, when provided, must be equal to or greater than your minimum |
| » bonus_amount | body | integer | false | The suggested bonus amount to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number. |
Close Comments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/close_comments" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "activity-comments-closed"
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "activity-comments-closed"
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/close_comments',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "activity-comments-closed"
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/close_comments',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/close_comments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"activity-comments-closed\"\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"activity-comments-closed\"\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/close_comments',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"activity-comments-closed\"\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/close_comments", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "activity-comments-closed",
"attributes": {
"message": "Comments Closed!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
PUT /reports/{id}/close_comments
A report can only be locked once. This API endpoint
cannot be used for reports that have been reported outside of the
HackerOne platform or reported to other teams.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information to lock the report. |
| » type | body | string | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | activity-comments-closed |
Manage Custom Field Values
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/custom_field_values" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"attributes": {
"custom_field_attribute_id": 0,
"value": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"attributes": {
"custom_field_attribute_id": 0,
"value": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/custom_field_values',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"attributes": {
"custom_field_attribute_id": 0,
"value": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/custom_field_values',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/custom_field_values");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"attributes\": {\n \"custom_field_attribute_id\": 0,\n \"value\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"attributes\": {\n \"custom_field_attribute_id\": 0,\n \"value\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/custom_field_values',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"attributes\": {\n \"custom_field_attribute_id\": 0,\n \"value\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/custom_field_values", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "custom-field-value",
"attributes": {
"value": "Infrastructure",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"custom_field_attribute": {
"data": {
"id": "287",
"type": "custom-field-attribute",
"attributes": {
"label": "Product Squad",
"configuration": null,
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2013-01-01T00:00:00.000Z",
"archived_at": null
}
}
}
}
}
POST /reports/{id}/custom_field_values
You can use this endpoint to create / update the Custom
Field Values of the provided report. If the report already has a
value for the provided Custom Field Attribute ID, the value will
be replaced. To get a list of existing Custom Field Attributes,
see program. This feature is only available to select programs
at this time.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information required to create a Custom Field Value. |
| » attributes | body | object | true | none |
| »» custom_field_attribute_id | body | integer | true | The Custom Field Attribute ID for which a value needs to be set. A complete list of available Custom Field Attribute IDs is exposed on the Program object. |
| »» value | body | string | false | The value that needs to be set for the given Custom Field Attribute. Leave empty to remove a Custom Field Attribute from a Report. |
Update Disclosure Request
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/disclosure_requests" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"attributes": {
"substate": "full",
"message": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"attributes": {
"substate": "full",
"message": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"attributes": {
"substate": "full",
"message": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/disclosure_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"attributes\": {\n \"substate\": \"full\",\n \"message\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"attributes\": {\n \"substate\": \"full\",\n \"message\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"attributes\": {\n \"substate\": \"full\",\n \"message\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/disclosure_requests", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "activity-agreed-on-going-public",
"attributes": {
"message": "Agreed On Going Public!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
POST /reports/{id}/disclosure_requests
The program can request disclosure for any closed report.
You can use this endpoint to create the disclosure request for the report which will result in:
The agreement to disclose the report if the reporter has already requested the disclosure. The contents of the report will be made public instantly. The time when the report was disclosed will be returned in the 'disclosed_at' attribute.
The disclosure request if the reporter hasn't requested the disclosure yet. If the reporter doesn't either approve or deny disclosure request from the program, the contents of the report will be auto-disclosed within 30 days. The 'allow_singular_disclosure_at' attribute value will show when the report will be disclosed.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information about disclosure request. |
| » attributes | body | object | true | none |
| »» substate | body | string | true | Select whether you want to disclose the full report ("full") or a |
| »» message | body | string | false | Additional information |
Detailed descriptions
»» substate: Select whether you want to disclose the full report ("full") or a limited version ("no-content").
Possible values: - full - no-content
Enumerated Values
| Parameter | Value |
|---|---|
| »» substate | full |
| »» substate | no-content |
Cancel Disclosure Request
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/disclosure_requests" \
-X DELETE \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {}
}
r = requests.delete(
'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {}
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/disclosure_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {}\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {}\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
{
method: 'DELETE',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {}\n}"`))
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/reports/{id}/disclosure_requests", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "activity-cancelled-disclosure-request",
"attributes": {
"message": "Cancel disclosure 1",
"created_at": "2019-10-23T13:35:35.616Z",
"updated_at": "2019-10-23T13:35:35.616Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api_user",
"name": null,
"disabled": false,
"created_at": "2019-10-14T13:59:49.563Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
}
}
}
DELETE /reports/{id}/disclosure_requests
The program can cancel the disclosure request for the provided report.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | none |
Redact report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/redact" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-redact",
"attributes": {
"string_to_redact": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-redact",
"attributes": {
"string_to_redact": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/redact',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-redact",
"attributes": {
"string_to_redact": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/redact',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/redact");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-redact\",\n \"attributes\": {\n \"string_to_redact\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-redact\",\n \"attributes\": {\n \"string_to_redact\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/redact',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-redact\",\n \"attributes\": {\n \"string_to_redact\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/redact", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/redact
Reports can be redacted through this endpoint. It can be useful to programmatically batch
update received reports in HackerOne. This API endpoint cannot be used for reports that
have been reported outside of the HackerOne platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information to redact a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» string_to_redact | body | string | true | The content of the to be created report summary. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-redact |
Update Severity
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/severities" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/severities',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/severities',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/severities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"id\": \"57\",\n \"type\": \"severity\",\n \"attributes\": {\n \"rating\": \"high\",\n \"author_type\": \"User\",\n \"user_id\": 1337,\n \"created_at\": \"2016-02-02T04:05:06.000Z\",\n \"score\": 8.7,\n \"attack_complexity\": \"low\",\n \"attack_vector\": \"adjacent\",\n \"availability\": \"high\",\n \"confidentiality\": \"low\",\n \"integrity\": \"high\",\n \"privileges_required\": \"low\",\n \"user_interaction\": \"required\",\n \"scope\": \"changed\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"id\": \"57\",\n \"type\": \"severity\",\n \"attributes\": {\n \"rating\": \"high\",\n \"author_type\": \"User\",\n \"user_id\": 1337,\n \"created_at\": \"2016-02-02T04:05:06.000Z\",\n \"score\": 8.7,\n \"attack_complexity\": \"low\",\n \"attack_vector\": \"adjacent\",\n \"availability\": \"high\",\n \"confidentiality\": \"low\",\n \"integrity\": \"high\",\n \"privileges_required\": \"low\",\n \"user_interaction\": \"required\",\n \"scope\": \"changed\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/severities',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"id\": \"57\",\n \"type\": \"severity\",\n \"attributes\": {\n \"rating\": \"high\",\n \"author_type\": \"User\",\n \"user_id\": 1337,\n \"created_at\": \"2016-02-02T04:05:06.000Z\",\n \"score\": 8.7,\n \"attack_complexity\": \"low\",\n \"attack_vector\": \"adjacent\",\n \"availability\": \"high\",\n \"confidentiality\": \"low\",\n \"integrity\": \"high\",\n \"privileges_required\": \"low\",\n \"user_interaction\": \"required\",\n \"scope\": \"changed\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/severities", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
POST /reports/{id}/severities
You can use this endpoint to create / update the severity of
the provided report. If the report already has a severity, a new one
will be created and used as the current severity.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | severity | true | A severity object represents the severity of a report, if provided by the reporter or |
| » id | body | string | true | The unique ID of the severity. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» rating | body | severity-ratings | true | none |
| »» author_type | body | string | true | The involved party that provided the severity. |
| »» user_id | body | integer | true | The unique id of the user who created the object. |
| »» score | body | number¦null | false | The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). |
| »» attack_vector | body | string¦null | false | A CVSS metric that reflects the context by which vulnerability exploritation |
| »» attack_complexity | body | string | false | A CVSS metric that describes the conditions beyond the attacker's control that must exist |
| »» privileges_required | body | string | false | A CVSS metric that describes the level of privileges an attacker must possess before |
| »» user_interaction | body | string | false | A CVSS metric that captures the requirement for a user, other than the attacker, to |
| »» scope | body | string¦null | false | A CVSS metric that determines if a successful attack impacts a component other than the |
| »» confidentiality | body | string | false | A CVSS metric that measures the impact to the confidentiality of the information resources |
| »» integrity | body | string | false | A CVSS metric that measures the impact to the integrity of a successfully exploited |
| »» availability | body | string | false | A CVSS metric that measures the availability of the impacted component resulting from a |
| »» created_at | body | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Detailed descriptions
data: A severity object represents the severity of a report, if provided by the reporter or a team member.
»» score: The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). Only present if CVSS metrics were provided.
»» attack_vector: A CVSS metric that reflects the context by which vulnerability exploritation is possible.
»» attack_complexity: A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
»» privileges_required: A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
»» user_interaction: A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component.
»» scope: A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component.
»» confidentiality: A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
»» integrity: A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability.
»» availability: A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | severity |
| »» rating | none |
| »» rating | low |
| »» rating | medium |
| »» rating | high |
| »» rating | critical |
| »» author_type | User |
| »» author_type | Team |
| »» attack_vector | network |
| »» attack_vector | adjacent |
| »» attack_vector | local |
| »» attack_vector | physical |
| »» attack_complexity | low |
| »» attack_complexity | high |
| »» privileges_required | none |
| »» privileges_required | low |
| »» privileges_required | high |
| »» user_interaction | none |
| »» user_interaction | required |
| »» scope | unchanged |
| »» scope | changed |
| »» confidentiality | none |
| »» confidentiality | low |
| »» confidentiality | high |
| »» integrity | none |
| »» integrity | low |
| »» integrity | high |
| »» availability | none |
| »» availability | low |
| »» availability | high |
Change State
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/state_changes" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "state-change",
"attributes": {
"message": "string",
"state": "new",
"original_report_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "state-change",
"attributes": {
"message": "string",
"state": "new",
"original_report_id": 0
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/state_changes',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "state-change",
"attributes": {
"message": "string",
"state": "new",
"original_report_id": 0
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/state_changes',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/state_changes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"state-change\",\n \"attributes\": {\n \"message\": \"string\",\n \"state\": \"new\",\n \"original_report_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"state-change\",\n \"attributes\": {\n \"message\": \"string\",\n \"state\": \"new\",\n \"original_report_id\": 0\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/state_changes',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"state-change\",\n \"attributes\": {\n \"message\": \"string\",\n \"state\": \"new\",\n \"original_report_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/state_changes", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
POST /reports/{id}/state_changes
Changing the state of a report can be done through this endpoint. Closing a report as
resolved will automatically recognize the finder in the program's hall of fame and
reputation will be given. If a report is closed as N/A, informative, or spam, reputation
will be deducted from the finder's track record.
There is currently one feature missing in the state change API: the ability to invite the
finder of the duplicate to the original report. This feature will be implemented in a future
version of the API.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information to change the state of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» message | body | string | true | The message that will be posted. Required when the new state is needs-more-info, informative, or duplicate. |
| »» state | body | report-states | true | none |
| »» original_report_id | body | integer | false | The ID of the report to use as the original report. Only available when closing the report as duplicate. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | state-change |
| »» state | new |
| »» state | triaged |
| »» state | needs-more-info |
| »» state | resolved |
| »» state | not-applicable |
| »» state | informative |
| »» state | duplicate |
| »» state | spam |
Update Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/structured_scope" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": 0
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/structured_scope',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": 0
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/structured_scope',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/structured_scope");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-structured-scope\",\n \"attributes\": {\n \"structured_scope_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-structured-scope\",\n \"attributes\": {\n \"structured_scope_id\": 0\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/structured_scope',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-structured-scope\",\n \"attributes\": {\n \"structured_scope_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/structured_scope", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/structured_scope
Changing the structured scope of a report can be done through this endpoint. This API
endpoint cannot be used for reports that have been reported outside of the HackerOne
platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information to change the structured scope of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» structured_scope_id | body | integer | true | The new structured scope that will be set on the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-structured-scope |
Add Summary
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/summaries" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-summary",
"attributes": {
"content": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-summary",
"attributes": {
"content": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/summaries',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-summary",
"attributes": {
"content": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/summaries',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/summaries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-summary\",\n \"attributes\": {\n \"content\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-summary\",\n \"attributes\": {\n \"content\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/summaries',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-summary\",\n \"attributes\": {\n \"content\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/summaries", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report-summary",
"attributes": {
"content": "There was a cross-site scripting vulnerability in our login form.",
"category": "team",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
POST /reports/{id}/summaries
This API endpoint allows the user to create a report summary
for reports that are received by teams that the user is part of.
A team can only include a single report summary. This API endpoint
cannot be used for reports that have been reported outside of the HackerOne
platform or reported to other teams.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information necessary to create a report summary. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» content | body | string | true | The content of the to be created report summary. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-summary |
Award Swag
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/swags" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"message": "string"
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"message": "string"
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/swags',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"message": "string"
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/swags',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/swags");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"message\": \"string\"\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"message\": \"string\"\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/swags',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"message\": \"string\"\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/swags", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "W_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
POST /reports/{id}/swags
You can use this endpoint to award swag to the reporter
of the provided report.
Required permission: Reward Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information required to award swag. |
| » message | body | string | true | The public message posted on the report. Always required. |
Update Title
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/title" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-title",
"attributes": {
"title": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-title",
"attributes": {
"title": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/title',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-title",
"attributes": {
"title": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/title',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/title");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-title\",\n \"attributes\": {\n \"title\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-title\",\n \"attributes\": {\n \"title\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/title',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-title\",\n \"attributes\": {\n \"title\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/title", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
},
"activities": {
"data": [
{
"type": "activity-comment",
"id": "445",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
},
{
"id": "1337",
"type": "activity-bug-resolved",
"attributes": {
"message": "Bug Resolved!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
},
"triggered_pre_submission_trigger": {
"data": {
"id": "1337",
"type": "trigger",
"attributes": {
"title": "Example Trigger"
}
}
},
"custom_field_values": {
"data": []
}
}
}
}
PUT /reports/{id}/title
Changing the title of a report through the HackerOne API can be useful to
programmatically batch update received reports in HackerOne. This API endpoint
cannot be used for reports that have been reported outside of the HackerOne
platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information to change the title of a report. |
| » type | body | string | true | none |
| » attributes | body | object | false | none |
| »» title | body | string | true | The new title that will be set on the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-title |
Update Report Team
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/transfer" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": null,
"attributes": {
"target_team_id": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": null,
"attributes": {
"target_team_id": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/transfer',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": null,
"attributes": {
"target_team_id": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/transfer',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/transfer");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": null,\n \"attributes\": {\n \"target_team_id\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": null,\n \"attributes\": {\n \"target_team_id\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/transfer',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": null,\n \"attributes\": {\n \"target_team_id\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/transfer", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"was_successful": true
}
PUT /reports/{id}/transfer
The program can transfer reports between parent and child programs.
You can use this endpoint to transfer the reports between parent and child programs.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information about disclosure request. |
| » type | body | [object Object] | false | The type of the action |
| » attributes | body | object | true | none |
| »» target_team_id | body | string | true | The handle of the target team the reports should be transferred to. |
Update Weakness
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/weakness" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": 0
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/weakness',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": 0
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/weakness',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/weakness");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-weakness\",\n \"attributes\": {\n \"weakness_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-weakness\",\n \"attributes\": {\n \"weakness_id\": 0\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/weakness',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-weakness\",\n \"attributes\": {\n \"weakness_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/weakness", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "77",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2019-08-20T14:26:19.286Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
"first_program_activity_at": "2019-08-20T14:26:20.531Z",
"last_program_activity_at": "2019-08-20T15:25:56.627Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": "2019-08-20T15:25:56.627Z",
"last_activity_at": "2019-08-20T15:25:56.627Z",
"cve_ids": []
},
"relationships": {
"weakness": {
"data": {
"id": "77",
"type": "weakness",
"attributes": {
"name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
"description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
"external_id": "cwe-350",
"created_at": "2019-07-12T08:36:13.646Z"
}
}
}
}
}
PUT /reports/{id}/weakness
Changing the weakness of a report can be done through this endpoint.
This API endpoint cannot be used for reports that have been reported
outside of the HackerOne platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information to change the weakness of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» weakness_id | body | integer | true | The new weakness that will be set on the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-weakness |
Get All Reports
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=string" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/reports',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
params={
'filter[program][]': [
"string"
]
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/reports',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"last_activity_at": null,
"last_public_activity_at": null,
"swag_awarded_at": null,
"disclosed_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"bounties": {
"data": []
}
}
},
{
"id": "1338",
"type": "report",
"attributes": {
"title": "CSRF in admin panel",
"state": "triaged",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": "2016-02-03T03:01:36.000Z",
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"issue_tracker_reference_id": "T554",
"issue_tracker_reference_url": "https://phabricator.tld/T554",
"cve_ids": []
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"bounties": {
"data": []
}
}
},
"..."
],
"links": {
"self": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=1",
"next": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=5"
}
}
GET /reports
Multiple report objects can be queried that meet certain filtering criteria by sending a GET request to the reports endpoint. When the request is successful, the API will respond with paginated report objects.
The following report relationships are included: reporter, assignee (a user or group), weakness, program, severity, structured scope, bounties, and custom field values.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| filter[program][] | query | array[string] | true | The program handles you want to fetch the reports for. |
| filter[reporter][] | query | array[string] | false | The user usernames you want to fetch the reports for. |
| filter[assignee][] | query | array[string] | false | The assigned user usernames, emails or group names you want to fetch the reports for. |
| filter[state][] | query | array[string] | false | Allows to filter by current report state. |
| filter[id][] | query | array[integer] | false | Allows to filter by report ID. |
| filter[weakness_id][] | query | array[integer] | false | Allows to filter by weaknesses. |
| filter[severity][] | query | array[string] | false | The severity ratings you want to fetch the reports for. |
| filter[hacker_published] | query | boolean | false | Allows to filter by reports that are published by hackers, depending on the value of this parameter. |
| filter[created_at__gt] | query | any(date-time) | false | Allows to filter by reports that were created after the date specified in this parameter. |
| filter[created_at__lt] | query | any(date-time) | false | Allows to filter by reports that were created before the date specified in this parameter. |
| filter[triaged_at__gt] | query | any(date-time) | false | Allows to filter by reports that were triaged after the date specified in this parameter. |
| filter[triaged_at__lt] | query | any(date-time) | false | Allows to filter by reports that were triaged before the date specified in this parameter. |
| filter[triaged_at__null] | query | boolean | false | Allows to filter by reports that are triaged or not, depending on the value of this parameter. |
| filter[closed_at__gt] | query | any(date-time) | false | Allows to filter by reports that were closed after the date specified in this parameter. |
| filter[closed_at__lt] | query | any(date-time) | false | Allows to filter by reports that were closed before the date specified in this parameter. |
| filter[closed_at__null] | query | boolean | false | Allows to filter by reports that are closed or not, depending on the value of this parameter. |
| filter[disclosed_at__gt] | query | any(date-time) | false | Allows to filter by reports that were disclosed after the date specified in this parameter. |
| filter[disclosed_at__lt] | query | any(date-time) | false | Allows to filter by reports that were disclosed before the date specified in this parameter. |
| filter[disclosed_at__null] | query | boolean | false | Allows to filter by reports that are disclosed or not, depending on the value of this parameter. |
| filter[reporter_agreed_on_going_public] | query | boolean | false | Allows to filter by reports that have or don't have the hacker disclosure request or not, depending on the value of this parameter. |
| filter[bounty_awarded_at__gt] | query | any(date-time) | false | Allows to filter by reports that have a bounty awarded after the date specified in this parameter. |
| filter[bounty_awarded_at__lt] | query | any(date-time) | false | Allows to filter by reports that have a bounty awarded before the date specified in this parameter. |
| filter[bounty_awarded_at__null] | query | boolean | false | Allows to filter by reports that have a bounty awarded or not, depending on the value of this parameter. |
| filter[swag_awarded_at__gt] | query | any(date-time) | false | Allows to filter by reports that have swag awarded after the date specified in this parameter. |
| filter[swag_awarded_at__lt] | query | any(date-time) | false | Allows to filter by reports that have swag awarded before the date specified in this parameter. |
| filter[swag_awarded_at__null] | query | boolean | false | Allows to filter by reports that have swag awarded or not, depending on the value of this parameter. |
| filter[last_reporter_activity_at__gt] | query | any(date-time) | false | Allows to filter by reports that received an update from the reporter after the date specified in this parameter. |
| filter[last_reporter_activity_at__lt] | query | any(date-time) | false | Allows to filter by reports that received an update from the reporter before the date specified in this parameter. |
| filter[first_program_activity_at__gt] | query | any(date-time) | false | Allows to filter by reports that received the first update from the program after the date specified in this parameter. |
| filter[first_program_activity_at__lt] | query | any(date-time) | false | Allows to filter by reports that received the first update from the program before the date specified in this parameter. |
| filter[first_program_activity_at__null] | query | boolean | false | Allows to filter by reports where the reporter received an update from the program or not, depending on the value of this parameter. |
| filter[last_program_activity_at__gt] | query | any(date-time) | false | Allows to filter by reports that received an update from the program after the date specified in this parameter. |
| filter[last_program_activity_at__lt] | query | any(date-time) | false | Allows to filter by reports that received an update from the program before the date specified in this parameter. |
| filter[last_activity_at__gt] | query | any(date-time) | false | Allows to filter by reports that received an update after the date specified in this parameter. |
| filter[last_activity_at__lt] | query | any(date-time) | false | Allows to filter by reports that received an update before the date specified in this parameter. |
| filter[last_public_activity_at__gt] | query | any(date-time) | false | Allows to filter by reports that received a public update after the date specified in this parameter. |
| filter[last_public_activity_at__lt] | query | any(date-time) | false | Allows to filter by reports that received a public update after the date specified in this parameter. |
| filter[keyword] | query | string | false | Allows to filter reports by title and details keyword. |
| filter[custom_fields][] | query | array[object] | false | Allows to filter by reports by a Custom Field Label and Value. |
| sort | query | any | false | The attributes and order to sort the reports on. This parameter may contain |
| page[number] | query | any | false | The page to retrieve. |
| page[size] | query | any | false | The number of objects per page; currently limited from 1 to 100. |
Detailed descriptions
sort: The attributes and order to sort the reports on. This parameter may contain multiple attributes that the reports should be sorted on. Sorting is applied in the specified order of attributes. If an attribute should be sorted descending, prepend a hyphen (-).
The following attributes can be used for sorting: reports.swag_awarded_at, reports.bounty_awarded_at, reports.last_reporter_activity_at, reports.first_program_activity_at, reports.last_program_activity_at, reports.triaged_at, reports.created_at, reports.closed_at, reports.last_public_activity_at, reports.last_activity_at, and reports.disclosed_at.
Enumerated Values
| Parameter | Value |
|---|---|
| filter[state][] | new |
| filter[state][] | triaged |
| filter[state][] | needs-more-info |
| filter[state][] | resolved |
| filter[state][] | not-applicable |
| filter[state][] | informative |
| filter[state][] | duplicate |
| filter[state][] | spam |
| filter[severity][] | none |
| filter[severity][] | low |
| filter[severity][] | medium |
| filter[severity][] | high |
| filter[severity][] | critical |
Create Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0,
"source": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0,
"source": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0,
"source": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0,\n \"source\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0,\n \"source\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0,\n \"source\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
POST /reports
This API endpoint can be used to import (known) vulnerabilities into the
HackerOne platform, to use these for duplicate detection or central
vulnerability management. When the API call is successful,
a report object will be returned.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| data | body | object | true | This object contains the information to create a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» team_handle | body | string | true | The handle of the team that the report is being submitted to. |
| »» title | body | string | true | The title of the report. |
| »» vulnerability_information | body | string | true | Detailed information about the vulnerability including the steps to reproduce and supporting material/references. |
| »» impact | body | string | true | The security impact that an attacker could achieve. |
| »» severity_rating | body | severity-ratings | false | none |
| »» weakness_id | body | integer | false | The ID of the Weakness object that describes the type of the potential issue. |
| »» structured_scope_id | body | integer | false | The ID of the StructuredScope object that describes the attack surface. |
| »» source | body | string | true | A free-form string defining the source of the report for tracking purposes. For example, "detectify", "rapid7" or "jira". |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report |
| »» severity_rating | none |
| »» severity_rating | low |
| »» severity_rating | medium |
| »» severity_rating | high |
| »» severity_rating | critical |
Get Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r =