NAV Navbar
shell

Core Resources

Reports

This API is built around reports as its core resource. The report object contains the information that hackers submitted to a program, the interactions the program users had with the report, and all additional meta information like bounties, swag, and internal references.

The next section will give an overview of what a Report object looks like. The sections after that will show the endpoints that have been implemented for this resource.

Get All Reports

Multiple report objects can be queried that meet certain filtering criteria by sending a GET request to the reports endpoint. When the request is successful, the API will respond with paginated report objects.

The following report relationships are included: reporter, assignee (a user or group), weakness, program, severity, structured scope, bounties, and custom field values.

Query reports

curl "https://api.hackerone.com/v1/reports?filter\[program\]\[\]=john_doe_example_company" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "1337",
      "type": "report",
      "attributes": {
        "title": "XSS in login form",
        "state": "new",
        "created_at": "2016-02-02T04:05:06.000Z",
        "vulnerability_information": "...",
        "triaged_at": null,
        "closed_at": null,
        "last_reporter_activity_at": null,
        "first_program_activity_at": null,
        "last_program_activity_at": null,
        "bounty_awarded_at": null,
        "last_activity_at": null,
        "last_public_activity_at": null,
        "swag_awarded_at": null,
        "disclosed_at": null,
        "source": null,
        "reporter_agreed_on_going_public_at": null
      },
      "relationships": {
        "reporter": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "assignee": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "member",
              "name": "Member",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "program": {
          "data": {
            "id": "1337",
            "type": "program",
            "attributes": {
              "handle": "security",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "severity": {
          "data": {
            "id": "57",
            "type": "severity",
            "attributes": {
              "rating": "high",
              "author_type": "User",
              "user_id": 1337,
              "created_at": "2016-02-02T04:05:06.000Z",
              "score": 8.7,
              "attack_complexity": "low",
              "attack_vector": "adjacent",
              "availability": "high",
              "confidentiality": "low",
              "integrity": "high",
              "privileges_required": "low",
              "user_interaction": "required",
              "scope": "changed"
            }
          }
        },
        "weakness": {
          "data": {
            "id": "1337",
            "type": "weakness",
            "attributes": {
              "name": "Cross-Site Request Forgery (CSRF)",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "external_id": "cwe-352",
              "created_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "structured_scope": {
          "data": {
            "id": "57",
            "type": "structured-scope",
            "attributes": {
              "asset_identifier": "api.example.com",
              "asset_type": "url",
              "confidentiality_requirement": "high",
              "integrity_requirement": "high",
              "availability_requirement": "high",
              "max_severity": "critical",
              "created_at": "2015-02-02T04:05:06.000Z",
              "updated_at": "2016-05-02T04:05:06.000Z",
              "instruction": null,
              "eligible_for_bounty": true,
              "eligible_for_submission": true,
              "reference": "H001001"
            }        
          } 
        },
        "bounties": {
          "data": [

          ]
        },
        "custom_field_values": {
          "data": [

          ]
        }
      }
    },
    {
      "id": "1338",
      "type": "report",
      "attributes": {
        "title": "CSRF in admin panel",
        "state": "triaged",
        "created_at": "2016-02-02T04:05:06.000Z",
        "vulnerability_information": "...",
        "triaged_at": "2016-02-03T03:01:36.000Z",
        "closed_at": null,
        "last_reporter_activity_at": null,
        "first_program_activity_at": null,
        "last_program_activity_at": null,
        "bounty_awarded_at": null,
        "swag_awarded_at": null,
        "disclosed_at": null,
        "issue_tracker_reference_id": "T554",
        "issue_tracker_reference_url": "https://phabricator.tld/T554",
        "cve_ids": [],
        "source": null,
        "reporter_agreed_on_going_public_at": null
      },
      "relationships": {
        "reporter": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "assignee": {
          "data": {
            "id": "1337",
            "type": "group",
            "attributes": {
              "name": "Admin",
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "user_management",
                "report_management"
              ]
            }
          }
        },
        "program": {
          "data": {
            "id": "1337",
            "type": "program",
            "attributes": {
              "handle": "security",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "severity": {
          "data": {
            "id": "64",
            "type": "severity",
            "attributes": {
              "rating": "medium",
              "author_type": "User",
              "user_id": 1337,
              "created_at": "2016-02-02T04:05:06.000Z",
              "score": 6.3,
              "attack_complexity": "low",
              "attack_vector": "adjacent",
              "availability": "medium",
              "confidentiality": "low",
              "integrity": "medium",
              "privileges_required": "low",
              "user_interaction": "required",
              "scope": "changed"
            }
          }
        },
        "weakness": {
          "data": {
            "id": "1337",
            "type": "weakness",
            "attributes": {
              "name": "Cross-Site Request Forgery (CSRF)",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "external_id": "cwe-352",
              "created_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "structured_scope": {
          "data": {
            "id": "64",
            "type": "structured-scope",
            "attributes": {
              "asset_identifier": "example.com",
              "asset_type": "url",
              "confidentiality_requirement": "medium",
              "integrity_requirement": "low",
              "availability_requirement": "high",
              "max_severity": "critical",
              "created_at": "2015-03-04T04:05:06.000Z",
              "updated_at": "2017-06-04T04:05:06.000Z",
              "instruction": null,
              "eligible_for_bounty": true,
              "eligible_for_submission": true,
              "reference": "T12345"
            }
          } 
        },
        "bounties": {
          "data": [

          ]
        },
        "custom_field_values": {
          "data": [

          ]
        }
      }
    },
    "..."
  ],
  "links": {
    "self": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=1",
    "next": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=5"
  }
}

HTTP Request

GET https://api.hackerone.com/v1/reports

Parameters

Name Description Required Type
filter Filters that can be used to drill-down reports. Yes object
filter[program] The program handles you want to fetch the reports for. Yes String[]
filter[reporter] The user usernames you want to fetch the reports for. No String[]
filter[assignee] The assigned user usernames, emails or group names you want to fetch the reports for. No String[]
filter[state] Allows to filter by current report state.

Default:
["new", "triaged", "needs-more-info", "resolved", "not-applicable", "informative", "duplicate", "spam"]

Possible values:
new
triaged
needs-more-info
resolved
not-applicable
informative
duplicate
spam
No String[]
filter[id] Allows to filter by report ID. No Integer[]
filter[weakness_id] Allows to filter by weaknesses. No Integer[]
filter[severity] The severity ratings you want to fetch the reports for.

Default:
["none", "low", "medium", "high", "critical"]

Possible values:
none
low
medium
high
critical
No String[]
filter[hacker_published] Allows to filter by reports that are published by hackers, depending on the value of this parameter. No Boolean
filter[created_at__gt] Allows to filter by reports that were created after the date specified in this parameter. No Date
filter[created_at__lt] Allows to filter by reports that were created before the date specified in this parameter. No Date
filter[triaged_at__gt] Allows to filter by reports that were triaged after the date specified in this parameter. No Date
filter[triaged_at__lt] Allows to filter by reports that were triaged before the date specified in this parameter. No Date
filter[triaged_at__null] Allows to filter by reports that are triaged or not, depending on the value of this parameter. No Boolean
filter[closed_at__gt] Allows to filter by reports that were closed after the date specified in this parameter. No Date
filter[closed_at__lt] Allows to filter by reports that were closed before the date specified in this parameter. No Date
filter[closed_at__null] Allows to filter by reports that are closed or not, depending on the value of this parameter. No Boolean
filter[disclosed_at__gt] Allows to filter by reports that were disclosed after the date specified in this parameter. No Date
filter[disclosed_at__lt] Allows to filter by reports that were disclosed before the date specified in this parameter. No Date
filter[disclosed_at__null] Allows to filter by reports that are disclosed or not, depending on the value of this parameter. No Boolean
filter[reporter_agreed_on_going_public] Allows to filter by reports that have or don't have the hacker disclosure request, depending on the value of this parameter. No Boolean
filter[bounty_awarded_at__gt] Allows to filter by reports that has a bounty awarded after the date specified in this parameter. No Date
filter[bounty_awarded_at__lt] Allows to filter by reports that has a bounty awarded after the date specified in this parameter. No Date
filter[bounty_awarded_at__null] Allows to filter by reports that have a bounty awarded or not, depending on the value of this parameter. No Boolean
filter[swag_awarded_at__gt] Allows to filter by reports that has swag awarded after the date specified in this parameter. No Date
filter[swag_awarded_at__lt] Allows to filter by reports that has swag awarded after the date specified in this parameter. No Date
filter[swag_awarded_at__null] Allows to filter by reports that have swag awarded or not, depending on the value of this parameter. No Boolean
filter[last_reporter_activity_at__gt] Allows to filter by reports that received an update from the reporter after the date specified in this parameter. No Date
filter[last_reporter_activity_at__lt] Allows to filter by reports that received an update from the reporter before the date specified in this parameter. No Date
filter[first_program_activity_at__gt] Allows to filter by reports that received the first update from the program after the date specified in this parameter. No Date
filter[first_program_activity_at__lt] Allows to filter by reports that received the first update from the program before the date specified in this parameter. No Date
filter[first_program_activity_at__null] Allows to filter by reports where the reporter received an update from the program or not, depending on the value of this parameter. No Boolean
filter[last_program_activity_at__gt] Allows to filter by reports that received an update from the program after the date specified in this parameter. No Date
filter[last_program_activity_at__lt] Allows to filter by reports that received an update from the program before the date specified in this parameter. No Date
filter[last_activity_at__gt] Allows to filter by reports that received an update after the date specified in this parameter. No Date
filter[last_activity_at__lt] Allows to filter by reports that received an update before the date specified in this parameter. No Date
filter[last_public_activity_at__gt] Allows to filter by reports that received a public update after the date specified in this parameter. No Date
filter[last_public_activity_at__lt] Allows to filter by reports that received a public update before the date specified in this parameter. No Date
filter[keyword] Allows to filter reports by title and details keyword. No String
filter[custom_fields] Allows to filter by reports by a Custom Field Label and Value. No Custom-Field-Input[]
page This parameter can be used to specify the page number and size the client wants to query. No object
page[number] The page to retrieve.
Default: 1
No Integer
page[size] The number of objects per page; currently limited from 1 to 100.
Default: 25
No Integer
sort The attributes and order to sort the reports on. This parameter may contain multiple attributes that the reports should be sorted on. Sorting is applied in the specified order of attributes. If an attribute should be sorted descending, prepend a hyphen (-).

The following attributes can be used for sorting: reports.swag_awarded_at, reports.bounty_awarded_at, reports.last_reporter_activity_at, reports.first_program_activity_at, reports.last_program_activity_at, reports.triaged_at, reports.created_at, reports.closed_at, reports.last_activity_at, and reports.disclosed_at.

Default: -reports.created_at
No String

Get Report

Read a report

curl "https://api.hackerone.com/v1/reports/129329" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example Response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "report",
    "attributes": {
      "title": "XSS in login form",
      "state": "new",
      "created_at": "2016-02-02T04:05:06.000Z",
      "vulnerability_information": "...",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": null,
      "first_program_activity_at": null,
      "last_program_activity_at": null,
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "source": null
    },
    "relationships": {
      "reporter": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "assignee": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "member",
            "name": "Member",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "program": {
        "data": {
          "id": "1337",
          "type": "program",
          "attributes": {
            "handle": "security",
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "severity": {
        "data": {
          "id": "57",
          "type": "severity",
          "attributes": {
            "rating": "high",
            "author_type": "User",
            "user_id": 1337,
            "created_at": "2016-02-02T04:05:06.000Z",
            "score": 8.7,
            "attack_complexity": "low",
            "attack_vector": "adjacent",
            "availability": "high",
            "confidentiality": "low",
            "integrity": "high",
            "privileges_required": "low",
            "user_interaction": "required",
            "scope": "changed"
          }
        }
      },
      "swag": {
        "data": [

        ]
      },
      "attachments": {
        "data": [

        ]
      },
      "weakness": {
        "data": {
          "id": "1337",
          "type": "weakness",
          "attributes": {
            "name": "Cross-Site Request Forgery (CSRF)",
            "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
            "external_id": "cwe-352",
            "created_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "structured_scope": {
        "data": {
          "id": "57",
          "type": "structured-scope",
          "attributes": {
            "asset_identifier": "api.example.com",
            "asset_type": "url",
            "confidentiality_requirement": "high",
            "integrity_requirement": "high",
            "availability_requirement": "high",
            "max_severity": "critical",
            "created_at": "2015-02-02T04:05:06.000Z",
            "updated_at": "2016-05-02T04:05:06.000Z",
            "instruction": null,
            "eligible_for_bounty": true,
            "eligible_for_submission": true,
            "reference": "H001001"
          }        
        } 
      },
      "activities": {
        "data": [

        ]
      },
      "bounties": {
        "data": [

        ]
      },
      "summaries": {
        "data": [

        ]
      },
      "triggered_pre_submission_trigger": {
        "data": {
          "id": "1337",
          "type": "trigger",
          "attributes": {
            "title": "Example Trigger"
          }
        }
      },
      "custom_field_values": {
        "data": [

        ]
      } 
    }
  }
}

A report object can be fetched by sending a GET request to a unique report object. In case the request was successful, the API will respond with a report object.

The following report relationships are included: reporter, assignee (a user or group), program, weakness, severity, bounties, swag,activities, attachments, structured scope, summaries, triggered pre-submission trigger, and custom field values.

HTTP Request

GET https://api.hackerone.com/v1/reports/{id}

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Create Report

Create a report for a program

curl "https://api.hackerone.com/v1/reports" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report",
        "attributes": {
          "team_handle": "security",
          "title": "XSS in login form",
          "vulnerability_information": "...",
          "impact": "...",
          "severity_rating": "medium",
          "weakness_id": "1337",
          "structured_scope_id": "287",
          "source": "detectify"
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "report",
    "attributes": {
      "title": "XSS in login form",
      "state": "new",
      "created_at": "2016-02-02T04:05:06.000Z",
      "vulnerability_information": "...",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": null,
      "first_program_activity_at": null,
      "last_program_activity_at": null,
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "source": null
    },
    "relationships": {
      "reporter": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "program": {
        "data": {
          "id": "1337",
          "type": "program",
          "attributes": {
            "handle": "security",
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "swag": {
        "data": [

        ]
      },
      "attachments": {
        "data": [

        ]
      },
      "weakness": {
        "data": {
          "id": "1337",
          "type": "weakness",
          "attributes": {
            "name": "Cross-Site Request Forgery (CSRF)",
            "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
            "external_id": "cwe-352",
            "created_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "activities": {
        "data": [

        ]
      },
      "bounties": {
        "data": [

        ]
      },
      "summaries": {
        "data": [

        ]
      }
    }
  }
}

This API endpoint can be used to import (known) vulnerabilities into the HackerOne platform, to use these for duplicate detection or central vulnerability management. When the API call is successful, a report objects object will be returned.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports

Request Body

Name Description Possible Values Required Type
data This object contains the information to create a report. Yes Object
data/type report Yes String
data/attributes Yes Object
data/attributes/team_handle The handle of the team that the report is being submitted to. Yes String
data/attributes/title The title of the report. Yes String
data/attributes/vulnerability_information Detailed information about the vulnerability including the steps to reproduce and supporting material/references. Yes String
data/attributes/impact The security impact that an attacker could achieve. Yes String
data/attributes/severity_rating The severity rating of the security vulnerability. none
low
medium
high
critical
No String
data/attributes/weakness_id The ID of the Weakness object that describes the type of the potential issue. No Integer
data/attributes/structured_scope_id The ID of the StructuredScope object that describes the attack surface. No Integer
data/attributes/source A free-form string defining the source of the report for tracking purposes. For example, "detectify", "rapid7" or "jira". Yes String

Update Title

Changing the title of a report through the HackerOne API can be useful to programmatically batch update received reports in HackerOne.

Update the title of a report

curl "https://api.hackerone.com/v1/reports/129329/title" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-title",
        "attributes": {
          "title": "Report Title Updated!"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "1337",
  "type": "activity-report-title-updated",
  "attributes": {
    "message": "Report Title Updated!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false,
    "old_title": "xss",
    "new_title": "XSS in login form"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

Changing the title of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/title

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information to change the title of a report. Yes Object
data/type Possible values: report-title Yes String
data/attributes Yes Object
data/attributes/title The new title that will be set on the report. Yes String

Update Structured Scope

Update the structured scope of a report

curl "https://api.hackerone.com/v1/reports/77/structured_scope" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-structured-scope",
        "attributes": {
          "structured_scope_id": "57"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "77",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2019-08-20T14:26:19.286Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
    "first_program_activity_at": "2019-08-20T14:26:20.531Z",
    "last_program_activity_at": "2019-08-20T15:25:56.627Z",
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": "2019-08-20T15:25:56.627Z",
    "last_activity_at": "2019-08-20T15:25:56.627Z",
    "cve_ids": [],
    "source": null
  },
  "relationships": {
    "structured_scope": {
      "data": {
        "id": "57",
        "type": "structured-scope",
        "attributes": {
          "asset_identifier": "api.example.com",
          "asset_type": "url",
          "confidentiality_requirement": "high",
          "integrity_requirement": "high",
          "availability_requirement": "high",
          "max_severity": "critical",
          "created_at": "2015-02-02T04:05:06.000Z",
          "updated_at": "2016-05-02T04:05:06.000Z",
          "instruction": null,
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "reference": "H001001"
        }
      }
    }
  }
}

Changing the structured scope of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/structured_scope

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to change the structured scope of a report. Yes Object
data/type report-structured-scope Yes String
data/attributes Yes Object
data/attributes/structured_scope_id The new structured scope that will be set on the report. Yes Integer

Update Weakness

Update the weakness of a report

curl "https://api.hackerone.com/v1/reports/129329/weakness" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-weakness",
        "attributes": {
          "weakness_id": "123"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "77",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2019-08-20T14:26:19.286Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
    "first_program_activity_at": "2019-08-20T14:26:20.531Z",
    "last_program_activity_at": "2019-08-20T15:25:56.627Z",
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": "2019-08-20T15:25:56.627Z",
    "last_activity_at": "2019-08-20T15:25:56.627Z",
    "cve_ids": [],
    "source": null
  },
  "relationships": {
    "weakness": {
      "data": {
        "id": "77",
        "type": "weakness",
        "attributes": {
          "name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
          "description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
          "external_id": "cwe-350",
          "created_at": "2019-07-12T08:36:13.646Z"
        }
      }
    }
  }
}

Changing the weakness of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/weakness

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to change the weakness of a report. Yes Object
data/type report-weakness Yes String
data/attributes Yes Object
data/attributes/weakness_id The new weakness that will be set on the report. Yes Integer

Update Severity

Create severity

curl "https://api.hackerone.com/v1/reports/172932/severities" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "attributes": {
          "rating": "high",
          "attack_complexity": "",
          "attack_vector": "",
          "availability": "",
          "confidentiality": "",
          "integrity": "",
          "privileges_required": "",
          "scope": "",
          "user_interaction": ""
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "2057",
    "type": "severity",
    "attributes": {
      "rating": "high",
      "created_at": "2017-08-22T15:09:44.176Z"
    }
  }
}

You can use this endpoint to create / update the severity of the provided report. If the report already has a severity, a new one will be created and used as the current severity.

Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/severities

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information required to create a severity Yes Object
data/attributes Yes Object
data/attributes/rating The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. none
low
medium
high
critical
No String
data/attributes/score The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). Only present if CVSS metrics were provided. No Number
data/attributes/attack_vector A CVSS metric that reflects the context by which vulnerability exploitation is possible. network
adjacent
local
physical
No String
data/attributes/attack_complexity A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. low
high
No String
data/attributes/privileges_required A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. none
low
high
No String
data/attributes/user_interaction A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component. none
required
No String
data/attributes/scope A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component. uncharged
charged
No String
data/attributes/confidentiality A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. none
low
high
No String
data/attributes/integrity A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability. none
low
high
No String
data/attributes/availability A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability. none
low
high
No String

Update Assignee

Assign a user

curl "https://api.hackerone.com/v1/reports/129329/assignee" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "id": 1337,
        "type": "user",
        "attributes": {
          "message": "@member Please check this out!"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "1337",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2016-02-02T04:05:06.000Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": null,
    "first_program_activity_at": null,
    "last_program_activity_at": null,
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_activity_at": null,
    "issue_tracker_reference_url": "https://example.com/reference",
    "cve_ids": [],
    "source": null
  },
  "relationships": {
    "reporter": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          },
          "reputation": 7,
          "signal": 7.0,
          "impact": 30.0
        }
      }
    },
    "assignee": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "member",
          "name": "Member",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "program": {
      "data": {
        "id": "1337",
        "type": "program",
        "attributes": {
          "handle": "security",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "swag": {
      "data": [

      ]
    },
    "attachments": {
      "data": [

      ]
    },
    "weakness": {
      "data": {
        "id": "1337",
        "type": "weakness",
        "attributes": {
          "name": "Cross-Site Request Forgery (CSRF)",
          "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
          "external_id": "cwe-352",
          "created_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "activities": {
      "data": [
        {
          "id": "1337",
          "type": "activity-user-assigned-to-bug",
          "attributes": {
            "message": "@member Please check this out!",
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z",
            "internal": true
          },
          "relationships": {
            "actor": {
              "data": {
                "id": "1338",
                "type": "user",
                "attributes": {
                  "username": "api_example_company",
                  "name": null,
                  "disabled": false,
                  "created_at": "2016-02-02T04:05:06.000Z",
                  "profile_picture": {
                    "62x62": "/assets/avatars/default.png",
                    "82x82": "/assets/avatars/default.png",
                    "110x110": "/assets/avatars/default.png",
                    "260x260": "/assets/avatars/default.png"
                  }
                }
              }
            },
            "assigned_user": {
              "data": {
                "id": "1337",
                "type": "user",
                "attributes": {
                  "username": "member",
                  "name": "Member",
                  "disabled": false,
                  "created_at": "2016-02-02T04:05:06.000Z",
                  "profile_picture": {
                    "62x62": "/assets/avatars/default.png",
                    "82x82": "/assets/avatars/default.png",
                    "110x110": "/assets/avatars/default.png",
                    "260x260": "/assets/avatars/default.png"
                  }
                }
              }
            }
          }
        }
      ]
    },
    "bounties": {
      "data": [

      ]
    },
    "summaries": {
      "data": [

      ]
    }
  }
}

A user or group can be assigned to a report with this endpoint. An optional message can be specified, which will be posted as internal comment to the report subscribers. Only users and groups that are part of the program can be assigned. It is not possible to assign API users to a report.

When assigning a single user to a report, that user will be automatically subscribed to the report. In case a group is assigned to a report, all users that are part of that group are subscribed to the report. Subscribers will receive a notification that the report was assigned.

In case the request was successful, the API will respond with the updated report object.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/assignee

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information to assign a user or group object to the report, or to clear the assignee of a report. Yes Object
data/id The ID of the user or group. Required unless the type is 'nobody' No Integer
data/type Specifies whether a user or group should be assigned, or if the assignee should be cleared.

Possible values:
user
group
nobody
Yes String
data/attributes No Object
data/attributes/message The message that will be posted to the assigned user or group. No String

Update Reference

Add a reference to a report

curl "https://api.hackerone.com/v1/reports/77/issue_tracker_reference_id" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "issue-tracker-reference-id",
        "attributes": {
          "reference": "T7413",
          "message": "Reference Id Added!"
        }
      }
    }
EOD

Example response (200 OK)

{
  "relationships": {
    "id": "77",
    "type": "report",
    "attributes": {
      "title": "XSS in login form",
      "state": "new",
      "created_at": "2019-08-20T14:26:19.286Z",
      "vulnerability_information": "...",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
      "first_program_activity_at": "2019-08-20T14:26:20.531Z",
      "last_program_activity_at": "2019-08-20T15:25:56.627Z",
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "last_public_activity_at": "2019-08-20T15:25:56.627Z",
      "last_activity_at": "2019-08-20T15:25:56.627Z",
      "cve_ids": [],
      "source": null
    },
    "relationships": {
      "activities": {
        "data": [
          {
            "type": "activity-reference-id-added",
            "id": "<id>",
            "attributes": {
              "message": "Reference Id Added!",
              "created_at": "<date>",
              "updated_at": "<date>",
              "internal": true,
              "reference": "T7413",
              "reference_url": "https://example.com/T7413"
            },
            "relationships": {
              "actor": {
                "data": {
                  "id": "<id>",
                  "type": "user",
                  "attributes": {
                    "username": "api_user",
                    "name": null,
                    "disabled": false,
                    "created_at": "2019-10-14T13:59:49.563Z",
                    "profile_picture": {
                      "62x62": "/assets/avatars/default.png",
                      "82x82": "/assets/avatars/default.png",
                      "110x110": "/assets/avatars/default.png",
                      "260x260": "/assets/avatars/default.png"
                    },
                    "signal": null,
                    "impact": null,
                    "reputation": null,
                    "bio": null,
                    "website": null,
                    "location": null,
                    "hackerone_triager": false
                  }
                }
              }
            }
          }
        ]
      }
    }
  } 
}

This API endpoint allows the user to set a reference to an external issue tracker.

A report can only hold one active reference at the same time. However, a log of previously added references can be found in the activities relationship on a report object. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

To begin setting up the integration with your issue tracker, check out the Integrations tab under your Program settings on HackerOne.com.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/issue_tracker_reference_id

URI Parameters

Name Located in Description Required Type
id path The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information to update the reference of a report. Yes Object
data/type Possible values: issue-tracker-reference-id Yes String
data/attributes Yes Object
data/attributes/reference The unique reference in the issue tracker. Yes String
data/attributes/message The message that will be posted. No String

Redact

Redact a report

curl "https://api.hackerone.com/v1/reports/129329/redact" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-title",
        "attributes": {
          "string_to_redact": "IP address: 127.0.0.1"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "79",
  "type": "report",
  "attributes": {
      "title": "CSRF on ████",
      "state": "resolved",
      "created_at": "2019-09-10T08:06:00.787Z",
      "vulnerability_information": "Vulnerability detected on ██████████ ...",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": null,
      "first_program_activity_at": null,
      "last_program_activity_at": null,
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "last_public_activity_at": null,
      "last_activity_at": null,
      "cve_ids": [],
      "source": null
  },
  "relationships": {
      "reporter": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
      },
      "program": {
          "data": {
              "id": "487",
              "type": "program",
              "attributes": {
                  "handle": "security",
                  "policy": "...",
                  "created_at": "2013-01-01T00:00:00.000Z",
                  "updated_at": "2019-10-16T12:23:48.295Z"
              }
          }
      }
  }
}

Reports can be redacted through this endpoint. It can be useful to programmatically batch update received reports in HackerOne. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/redact

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information to redact a report. Yes Object
data/type Possible values: report-redact Yes String
data/attributes Yes Object
data/attributes/string_to_redact The string to redact from the report. Yes String

Change State

Mark a report as resolved

curl "https://api.hackerone.com/v1/reports/129329/state_changes" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "state-change",
        "attributes": {
          "message": "This vulnerability has been resolved. Thanks!",
          "state": "resolved"
        }
      }
    }
EOD

Changing the state of a report can be done through this endpoint. Closing a report as resolved will automatically recognize the finder in the program's hall of fame and reputation will be given. If a report is closed as N/A, informative, or spam, reputation will be deducted from the finder's track record.

There are currently one feature missing in the state change API: the ability to invite the finder of the duplicate to the original report. This feature will be implemented in a future version of the API.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/state_changes

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to change the state of a report. Yes Object
data/type state-change Yes String
data/attributes Yes Object
data/attributes/message The message that will be posted.
Required when the new state is needs-more-info, informative, or duplicate.
No String
data/attributes/state The state the report needs to be moved to. new
triaged
needs-more-info
resolved
not-applicable
informative
duplicate
spam
Yes String
data/attributes/original_report_id The ID of the report to use as the original report. Only available when closing the report as duplicate. No Integer

Create Comment

Post a public comment

curl "https://api.hackerone.com/v1/reports/129329/activities" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "activity-comment",
        "attributes": {
          "message": "A fix has been deployed. Can you retest, please?",
          "internal": false
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "activity-comment",
    "attributes": {
      "message": "A fix has been deployed. Can you retest, please?",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "internal": false
    },
    "relationships": {
      "actor": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      }
    }
  }
}

Both public and internal comments can be posted with this endpoint. Comments require a message before they will be posted. If a public comment is posted, any user that is subscribed to the report will receive a notification of the created comment. For internal comments, only people that are managing the program who are subscribed the report will receive a notification.

Required permission: Report Management for posting public comments. Posting internal comments do not require any additional permissions. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/activities

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to create a comment object for the report. Yes Object
data/type Type of activity. activity-comment Yes String
data/attributes Yes Object
data/attributes/message The message that will be posted. Yes String
data/attributes/internal A boolean that indicates whether the comment should be internal or public. Internal comments are only viewable by the users that manage the program. Public comments are viewable by everyone, including the person that submitted the report. Yes Boolean

Close Comments

Lock a report

curl "https://api.hackerone.com/v1/reports/129329/close_comments" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "activity-comments-closed"
      }
    }
EOD

Example response (200 OK)

{
  "id": "1337",
  "type": "activity-comments-closed",
  "attributes": {
    "message": "Comments Closed!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

A report can only be locked once. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform or reported to other teams.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/reports/{id}/close_comments

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to lock the report. Yes Object
data/type activity-comments-closed Yes String

Add Summary

This API endpoint allows the user to create a report summary for reports that are received by teams that the user is part of.

Create report summary

curl "https://api.hackerone.com/v1/reports/129329/summaries" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-summary",
        "attributes": {
          "content": "There was a cross-site scripting vulnerability in our login form."
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "1337",
  "type": "report-summary",
  "attributes": {
    "content": "There was a cross-site scripting vulnerability in our login form.",
    "category": "team",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z"
  },
  "relationships": {
    "user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

A team can only include a single report summary. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform or reported to other teams.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/summaries

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information necessary to create a report summary. Yes Object
data/type report-summary Yes String
data/attributes Yes Object
data/attributes/content The content of the to be created report summary. Yes String

Award Bounty

Create a bounty

curl "https://api.hackerone.com/v1/reports/172932/bounties" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "message": "Thanks for the great report. Here's your bounty!",
        "amount": "500",
        "bonus_amount": "250"
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "58549",
    "type": "bounty",
    "attributes": {
      "amount": "1330.00",
      "bonus_amount": "7.00",
      "awarded_amount": "1330.00",
      "awarded_bonus_amount": "7.00",
      "awarded_currency": "USD",
      "created_at": "2017-08-22T15:03:46.183Z"
    }
  }
}

You can use this endpoint to award bounties to the reporter of the provided report.

Required permission: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

In addition, your program needs to be able to award bounties and the report needs to be eligible for bounties. If either case is false, the call will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/bounties

URI Parameters

Name Located in Description Required Type
id path The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information required to create a bounty. Yes Object
data/message The public message posted on the report. Always required. Yes String
data/amount The bounty award to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number, and, when provided, must be equal to or greater than your minimum bounty. No Number
data/bonus_amount The bonus amount to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number. No Number

Get Bounty Suggestions

Query bounty suggestions for a report

curl "https://api.hackerone.com/v1/reports/79/bounty_suggestions" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "type": "activity-bounty-suggested",
      "id": "1946481",
      "attributes": {
        "message": "This report is great, I think we should award a high bounty.",
        "created_at": "2019-09-22T15:10:02.699Z",
        "updated_at": "2019-09-22T15:10:02.699Z",
        "internal": true,
        "bounty_amount": "300.00",
        "bonus_amount": "0.00"
      },
      "relationships": {
        "actor": {
          "data": {
            "type": "user",
            "id": "193855",
            "attributes": {
              "username": "sjors",
              "name": null,
              "disabled": false,
              "created_at": "2019-09-22T13:18:29.084Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
                "82x82": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
                "110x110": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
                "260x260": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"
              }
            }
          }
        }
      }
    }
  ]
}

This API endpoint allows a user to retrieve a list of report's bounty suggestions.

HTTP Request

GET https://api.hackerone.com/v1/reports/{id}/bounty_suggestions

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Add Bounty Suggestion

Create a bounty suggestion

curl "https://api.hackerone.com/v1/reports/172932/bounty_suggestions" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "message": "This report is great, I think we should award a high bounty",
        "amount": "5000",
        "bonus_amount": "2500"
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "type": "activity-bounty-suggested",
    "id": "1946481",
    "attributes": {
      "message": "This report is great, I think we should award a high bounty.",
      "created_at": "2017-08-22T15:10:02.699Z",
      "updated_at": "2017-08-22T15:10:02.699Z",
      "internal": true,
      "bounty_amount": "5,000",
      "bonus_amount": "2,500"
    },
    "relationships": {
      "actor": {
        "data": {
          "type": "user",
          "id": "193855",
          "attributes": {
            "username": "sjors",
            "name": null,
            "disabled": false,
            "created_at": "2017-08-22T13:18:29.084Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
              "82x82": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
              "110x110": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
              "260x260": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"
            }
          }
        }
      }
    }
  }
}

You can use this endpoint to suggest bounties to the provided report.

Required permission: Reward Management OR Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/bounty_suggestions

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information required to create a bounty suggestion. Yes Object
data/message The internal message posted on the report. Always required. Only readable by team members. Yes String
data/amount The suggested bounty award to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number, and, when provided, must be equal to or greater than your minimum bounty. No Number
data/bonus_amount The suggested bonus amount to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number. No Number

Award Swag

Award swag

curl "https://api.hackerone.com/v1/reports/172932/swags" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "message": "This is the 5th report we received from you. We'd like to send you a shirt and some stickers as a small thank-you!"
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "2057",
    "type": "swag",
    "attributes": {
      "sent": false,
      "created_at": "2017-08-22T15:09:44.176Z"
    },
    "relationships": {
      "user": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }          
        }
      },
      "address": {
        "data": {
          "id": "1337",
          "type": "address",
          "attributes": {
            "name": "Jane Doe",
            "street": "535 Mission Street",
            "city": "San Francisco",
            "postal_code": "94105",
            "state": "CA",
            "country": "United States of America",
            "created_at": "2016-02-02T04:05:06.000Z",
            "tshirt_size": "W_Large",
            "phone_number": "+1-510-000-0000"
          }
        }
      }   
    }
  }
}

You can use this endpoint to award swag to the reporter of the provided report.

Required permission: Reward Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/swags

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information required to award swag. Yes Object
data/message The public message posted on the report. Always required. Yes String

Mark as Ineligible for Bounty

Mark a report as ineligible for bounty.

curl "https://api.hackerone.com/v1/reports/2/ineligible_for_bounty" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "report-ineligible-for-bounty",
        "attributes": {}
      }
    }
EOD

Example response (200 OK)

{
  "id": "77",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2019-08-20T14:26:19.286Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
    "first_program_activity_at": "2019-08-20T14:26:20.531Z",
    "last_program_activity_at": "2019-08-20T15:25:56.627Z",
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": "2019-08-20T15:25:56.627Z",
    "last_activity_at": "2019-08-20T15:25:56.627Z",
    "cve_ids": [],
    "source": null
  },
  "relationships": {
    "weakness": {
      "data": {
        "id": "77",
        "type": "weakness",
        "attributes": {
          "name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
          "description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
          "external_id": "cwe-350",
          "created_at": "2019-07-12T08:36:13.646Z"
        }
      }
    }
  }
}

Marking a report as ineligible for bounty through the HackerOne API can be useful to programatically batch update received reports in HackerOne.

Marking a report as ineligible for bounty can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to mark a report as ineligible for bounty. Yes Object
data/type report-ineligible-for-bounty Yes String

Manage Custom Field Values

Create Custom Field Value

curl "https://api.hackerone.com/v1/reports/172932/custom_field_values" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "attributes": {
          "custom_field_attribute_id": "1",
          "value": "Dark Matter"
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": [
    {
      "id": "1",
      "type": "custom-field-value",
      "attributes": {
        "value": "Dark Matter",
        "created_at": "2019-04-24T22:21:50.328Z",
        "updated_at": "2019-04-24T22:21:50.328Z"
      },
      "relationships": {
        "custom_field_attribute": {
          "data": {
            "id": "1",
            "type": "custom-field-attribute",
            "attributes": {
              "label": "Product Squad",
              "configuration": null,
              "created_at": "2013-01-01T00:00:00.000Z",
              "updated_at": "2013-01-01T00:00:00.000Z",
              "archived_at": null
            }
          }
        }
      }
    }
  ]
}

You can use this endpoint to create / update the Custom Field Values of the provided report. If the report already has a value for the provided Custom Field Attribute ID, the value will be replaced. To get a list of existing Custom Field Attributes, see program. This feature is only available to select programs at this time.

Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/custom_field_values

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Required Type
data This object contains the information required to create a Custom Field Value. Yes Object
data/attributes/custom_field_attribute_id The Custom Field Attribute ID for which a value needs to be set. A complete list of available Custom Field Attribute IDs is exposed on the Program object. Yes Integer
data/attributes/value The value that needs to be set for the given Custom Field Attribute. Leave empty to remove a Custom Field Attribute from a Report. No String

Manage Disclosure Request

This resource allows you to create or cancel the disclosure request for the report.

Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Create Disclosure Request

Create a disclosure request for the provided report.

curl "https://api.hackerone.com/v1/reports/172932/disclosure_requests" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "attributes": {
          "substate": "full",
          "message": "Go public"
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "activity-agreed-on-going-public",
    "attributes": {
      "message": "Agreed On Going Public!",
      "created_at": "2019-02-02T04:05:06.000Z",
      "updated_at": "2019-02-02T04:05:06.000Z",
      "internal": false,
      "disclosed_at": "2019-02-02T15:26:47.000Z"
    },
    "relationships": {
      "actor": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2019-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      }
    }
  }
}

The program can request disclosure for any closed report.

You can use this endpoint to create the disclosure request for the report which will result in:

HTTP Request

POST https://api.hackerone.com/v1/reports/{id}/disclosure_requests

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information about disclosure request. Yes Object
data/attributes Yes Object
data/attributes/substate Select whether you want to disclose the full report ("full") or a limited version ("no-content").

Possible values:
full
no-content
Yes String
data/attributes/message Additional information No String

Cancel Disclosure Request

Cancel the report's disclosure request.

curl "https://api.hackerone.com/v1/reports/172932/disclosure_requests" \
  -X DELETE \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "attributes": {
          "message": "Cancel disclosure"
        }
      }
    }
EOD

Example response (200 OK)

{
    "data": {
        "type": "activity-cancelled-disclosure-request",
        "id": "516",
        "attributes": {
            "message": "Cancel disclosure 1",
            "created_at": "2019-10-23T13:35:35.616Z",
            "updated_at": "2019-10-23T13:35:35.616Z",
            "internal": false
        },
        "relationships": {
            "actor": {
                "data": {
                    "id": "106",
                    "type": "user",
                    "attributes": {
                        "username": "api_user",
                        "name": null,
                        "disabled": false,
                        "created_at": "2019-10-14T13:59:49.563Z",
                        "profile_picture": {
                          "62x62": "/assets/avatars/default.png",
                          "82x82": "/assets/avatars/default.png",
                          "110x110": "/assets/avatars/default.png",
                          "260x260": "/assets/avatars/default.png"
                        },
                        "signal": null,
                        "impact": null,
                        "reputation": null,
                        "bio": null,
                        "website": null,
                        "location": null,
                        "hackerone_triager": false
                    }
                }
            }
        }
    }
}

The program can cancel the disclosure request for the provided report.

HTTP Request

DELETE https://api.hackerone.com/v1/reports/{id}/disclosure_requests

URI Parameters

Name Description Required Type
id The ID of the report. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information about disclosure request. Yes Object
data/attributes Yes Object
data/attributes/message Additional information No String

Activities

This endpoint allows you to fetch all activities of your program incrementally by time.

This feature has multiple usages:

The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.

Query Activities

Read the activities of a team

curl "https://api.hackerone.com/v1/incremental/activities?handle=acme&page[size]=1" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "type": "activity-bug-filed",
      "id": "1337",
      "attributes": {
        "report_id": "99900",
        "message": "",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2017-02-02T04:05:06.000Z",
        "internal": false
      },
      "relationships": {
        "actor": {
          "data": {
            "type": "user",
            "id": "7331",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        }
      }
    }
  ],
  "meta": {
    "max_updated_at": "2017-02-02T04:05:06.000Z"
  },
  "links": {
    "self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
    "next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
  }
}

Note, the request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.

HTTP Request

GET /incremental/activities/

Query Parameters

Name Description Required Type
handle The HackerOne handle of the program whose activities you wish to retrieve. Yes String
updated_at_after A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. No DateTime
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Programs

The next section will give an overview of what a Program object looks like. The sections after that will show the endpoints that have been implemented for this resource. To find the ID of your program, you can use the Get Your Programs endpoint.

Get Program

Read a program

curl "https://api.hackerone.com/v1/programs/11000" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "program",
    "attributes": {
      "handle": "security",
      "policy": "Policy definition",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z"
    },
    "relationships": {
      "groups": {
        "data": [
          {
            "id": "2557",
            "type": "group",
            "attributes": {
              "name": "Standard",
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "report_management",
                "reward_management"
              ]
            }
          },
          {
            "id": "2558",
            "type": "group",
            "attributes": {
              "name": "Admin",
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "user_management",
                "program_management"
              ]
            }
          }
        ]
      },
      "members": {
        "data": [
          {
            "id": "1339",
            "type": "member",
            "attributes": {
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "program_management",
                "report_management",
                "reward_management",
                "user_management"
              ],
              "groups": [
                {
                  "id": "2558",
                  "name": "Admin"
                },
                {
                  "id": "2557",
                  "name": "Standard"
                }
              ]
            },
            "relationships": {
              "user": {
                "data": {
                  "id": "1337",
                  "type": "user",
                  "attributes": {
                    "username": "api-example",
                    "name": "API Example",
                    "disabled": false,
                    "created_at": "2016-02-02T04:05:06.000Z",
                    "profile_picture": {
                      "62x62": "/assets/avatars/default.png",
                      "82x82": "/assets/avatars/default.png",
                      "110x110": "/assets/avatars/default.png",
                      "260x260": "/assets/avatars/default.png"
                    }
                  }
                }
              }
            }
          }
        ]
      },
      "policy_attachments": {
        "data": [
          {
            "id": "<id>",
            "type": "attachment",
            "attributes": {
              "expiring_url": "<url>",
              "created_at": "<date>",
              "file_name": "logo.png",
              "content_type": "image/png",
              "file_size": 3650
            }
          }
        ]
      }
    }
  }
}

A program object can be fetched by sending a GET request to a unique program object. When the request is successful, the API will respond with a program object.

The following program relationships are included: groups, members and policy attachments.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}

URI Parameters

Name Description Required Type
id The ID of the program.
You can find the program ID by fetching your programs.
Yes Integer

Update Policy

Update the policy of a program

curl "https://api.hackerone.com/v1/programs/3774/policy" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "program-policy",
        "attributes": {
          "policy": "..."
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "3774",
    "type": "program",
    "attributes": {
        "handle": "acme",
        "policy": "...",
        "created_at": "2013-01-01T00:00:00.000Z",
        "updated_at": "2019-08-26T13:53:24.807Z"
    }
  }
}

Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.

Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

PUT https://api.hackerone.com/v1/programs/{id}/policy

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to update the policy of a program. Yes Object
data/type program-policy Yes String
data/attributes Yes Object
data/attributes/policy The new policy that will be set on the program. Yes String

Upload Policy Attachment

Upload an attachment for program policy

curl "https://api.hackerone.com/v1/programs/3774/policy_attachments" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -F "file=@/tmp/example.png"
EOD

Example response (200 OK)

{
  "data": {
    "id": "1337",
    "type": "attachment",
    "attributes": {
      "expiring_url": "https://attachments.s3.amazonaws.com/G74PuDP6qdEdN2rpKNLkVwZF",
      "created_at": "2019-10-30T04:05:06.000Z",
      "file_name": "example.png",
      "content_type": "image/png",
      "file_size": 16115
    }
  }
}

Policy attachments can be uploaded by sending a POST request to the program policy attachments endpoint. When the API call is successful, an attachment object will be returned.

You can use the attachment ID to display the attachment on your policy page. For example, if the attachment ID is 1337, then include {F1337} in your policy to display the attachment.

Required permission: Program Management for uploading policy attachments. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/programs/{id}/policy_attachments

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
file Full path to a local file. Yes File

Award Bounty

Create a bounty for a program

curl "https://api.hackerone.com/v1/programs/11000/bounties" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "bounty",
        "attributes": {
          "amount": 100,
          "reference": "JIRA1239",
          "title": "Reflected XSS on marketing.example.com",
          "recipient": "hacker@hackerone.com",
          "currency": "USD",
          "severity_rating": "high"
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "1",
    "type": "bounty",
    "attributes": {
      "amount": "100.00",
      "bonus_amount": "0.00",
      "awarded_amount": "100.00",
      "awarded_bonus_amount": "0.00",
      "awarded_currency": "USD",
      "created_at": "2017-02-14T23:07:24.252Z",
      "invitations": [
        {
          "id": "10",
          "recipient": "hacker@hackerone.com",
          "claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
        }
      ]
    }
  }
}

To award a bounty, this API endpoint can be used. When the API call is successful, a bounty object will be returned.

Required permission: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

POST https://api.hackerone.com/v1/programs/{id}/bounties

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Request Body

Name Description Required Type
data This object contains the information required to create a bounty. Yes Object
data/type Possible values: bounty Yes Object
data/attributes/recipient The email address of the recipient. When the email address is provided, an email will be sent to the recipient to claim the bounty. When the email address is not provided, you can use the claim URL in the response to notify the recipient yourself. When the user does not have an account yet with HackerOne, it'll be onboarded before it can claim the reward. Users that already have an account, will benefit from collecting the payout easily through HackerOne and get additional reputation points to showcase on their HackerOne profile. No String
data/attributes/amount The amount that should be awarded. Yes Number
data/attributes/reference An internal reference attached to the report that makes searching or filtering in the future easy. Yes String
data/attributes/title The title of the security vulnerability that was reported to you. Yes String
data/attributes/currency Possible values: USD Yes String
data/attributes/severity_rating The severity rating of the security vulnerability that was reported to you.

Possible values:
none
low
medium
high
critical
No String

Get Awarded Swag

Query swag of the program

curl "https://api.hackerone.com/v1/programs/16789/swag?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "8",
      "type": "swag",
      "attributes": {
        "sent": true,
        "created_at": "2019-08-30T08:33:42.147Z"
      },
      "relationships": {
        "user": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "address": {
          "data": {
            "id": "1337",
            "type": "address",
            "attributes": {
              "name": "Jane Doe",
              "street": "535 Mission Street",
              "city": "San Francisco",
              "postal_code": "94105",
              "state": "CA",
              "country": "United States of America",
              "created_at": "2016-02-02T04:05:06.000Z",
              "tshirt_size": "M_Large",
              "phone_number": "+1-510-000-0000"
            }
          }
        }
      }    
    },
    {
      "id": "7",
      "type": "swag",
      "attributes": {
        "sent": false,
        "created_at": "2019-08-20T03:47:04.163Z"
      },
      "relationships": {
        "user": {
          "data": {
            "id": "1338",
            "type": "user",
            "attributes": {
              "username": "johndoe",
              "name": "John Doe",
              "disabled": false,
              "created_at": "2017-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "address": {
          "data": {
            "id": "1337",
            "type": "address",
            "attributes": {
              "name": "John Smith",
              "street": "535 Mission Street",
              "city": "New York",
              "postal_code": "10001",
              "state": "NY",
              "country": "United States of America",
              "created_at": "2017-01-03T07:08:09.000Z",
              "tshirt_size": "M_Large",
              "phone_number": "+1-212-000-0000"
            }
          }
        }
      }
    }
  ],
  "links": {
  }
}

Awarded swag can be fetched by sending a GET request to the swag endpoint. When the request is successful, the API will respond with paginated swag objects.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/swag

URI Parameters

Name Located in Description Required Type
id path The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Mark Swag as Sent

Mark swag as sent

curl "https://api.hackerone.com/v1/programs/12/swag/8" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "swag",
        "attributes": {
          "sent": true
        }
      }
    }
EOD

Example response (200 OK)

{
  "data": {
    "id": "8",
    "type": "swag",
    "attributes": {
      "sent": true,
      "created_at": "2019-08-30T08:33:42.147Z"
    },
    "relationships": {
      "user": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "address": {
        "data": {
          "id": "1337",
          "type": "address",
          "attributes": {
            "name": "Jane Doe",
            "street": "535 Mission Street",
            "city": "San Francisco",
            "postal_code": "94105",
            "state": "CA",
            "country": "United States of America",
            "created_at": "2016-02-02T04:05:06.000Z",
            "tshirt_size": "M_Large",
            "phone_number": "+1-510-000-0000"
          }
        }
      }
    }
  }
}

The status of swag can be updated to "sent" through this endpoint. When the request is successful, the API will respond with a swag object.

Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

GET https://api.hackerone.com/v1/programs/programs/{program_id}/swag/{id}

URI Parameters

Name Description Required Type
program_id The ID of the program. Yes Integer
id The ID of the swag. Yes Integer

Query Parameters

Name Description Required Type
data This object contains the information to change the status of swag. Yes Object
data/type Possible values: swag Yes String
data/attributes Yes Object
data/attributes/sent Possible values: true Yes Boolean

Get Reporters

Query reporters for a program

curl "https://api.hackerone.com/v1/programs/11000/reporters" \
    -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "1337",
      "type": "user",
      "attributes": {
        "username": "awesome-hacker",
        "name": "Awesome Hacker",
        "disabled": false,
        "created_at": "2016-02-02T04:05:06.000Z",
        "profile_picture": {
          "62x62": "/assets/avatars/default.png",
          "82x82": "/assets/avatars/default.png",
          "110x110": "/assets/avatars/default.png",
          "260x260": "/assets/avatars/default.png"
        }
      }
    }
  ],
  "links": {

  }
}

This resource allows you to retrieve a list of all users that ever submitted a report to the program.

Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/reporters

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Manage Structured Scopes

This resource allows you to retrieve a list of all assets of the program. You can create, update and archive your existing structured scopes.




Query Structured Scopes

Query structured scopes for a program

curl "https://api.hackerone.com/v1/programs/16789/structured_scopes?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "57",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "api.example.com",
        "asset_type": "url",
        "confidentiality_requirement": "high",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2015-02-02T04:05:06.000Z",
        "updated_at": "2016-05-02T04:05:06.000Z",
        "instruction": null,
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001001"
      }
    },
    {
      "id": "58",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "www.example.com",
        "asset_type": "url",
        "confidentiality_requirement": "low",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2017-02-03T04:05:10.000Z",
        "updated_at": "2018-05-02T04:05:10.000Z",
        "instruction": "Instruction text",
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001002"
      }
    }
  ],
  "links": {
  }
}

Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scopes.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/structured_scopes

URI Parameters

Name Located in Description Required Type
id path The ID of the program.
You can find the program ID by fetching your programs.
Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer




Add Structured Scope

Create a structured scope for a program

curl "https://api.hackerone.com/v1/programs/1557/structured_scopes" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "structured-scope",
        "attributes": {
          "asset_identifier": "api.example.com",
          "asset_type": "url",
          "confidentiality_requirement": "high",
          "integrity_requirement": "high",
          "availability_requirement": "high",
          "max_severity": "critical",
          "created_at": "2015-02-02T04:05:06.000Z",
          "updated_at": "2016-05-02T04:05:06.000Z",
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "reference": "H001001"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "url",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

This API endpoint can be used to add an asset to a program. When the API request is successful, a structured-scope object will be returned. Please refer to our platform documentation to get more information on the different asset types.

HTTP Request

POST https://api.hackerone.com/v1/programs/{id}/structured_scopes

URI Parameters

Name Description Required Type
id The ID of the program.
You can find the program ID by fetching your programs.
Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to create a structured scope. Yes Object
data/type structured-scope Yes String
data/attributes Yes Object
data/attributes/asset_identifier The identifier of the asset. Yes String
data/attributes/asset_type The type of the asset. CIDR
URL
APPLE_STORE_APP_ID
TESTFLIGHT
OTHER_IPA
GOOGLE_PLAY_APP_ID
OTHER_APK
WINDOWS_APP_STORE_APP_ID
SOURCE_CODE
DOWNLOADABLE_EXECUTABLES
HARDWARE
OTHER
Yes String
data/attributes/eligible_for_bounty If the asset is eligible for bounty. No Boolean
data/attributes/eligible_for_submission If the asset is eligible for submission. No Boolean
data/attributes/instruction The raw intruction of the asset provided by the program. Markdown is not parsed. No String
data/attributes/confidentiality_requirement A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/integrity_requirement A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/availability_requirement A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/max_severity The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). none
low
medium
high
critical
No String
data/attributes/reference The customer defined reference identifier or tag of the asset. No String




Update Structured Scope

Update a structured scope of a program

curl "https://api.hackerone.com/v1/programs/1557/structured_scopes/84" \
  -X PATCH \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H "Content-Type: application/json" \
  -d @- <<EOD
    {
      "data": {
        "type": "structured-scope",
        "attributes": {
          "asset_identifier": "api.example.com",
          "asset_type": "url",
          "confidentiality_requirement": "high",
          "integrity_requirement": "high",
          "availability_requirement": "high",
          "max_severity": "critical",
          "created_at": "2015-02-02T04:05:06.000Z",
          "updated_at": "2016-05-02T04:05:06.000Z",
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "reference": "H001001"
        }
      }
    }
EOD

Example response (200 OK)

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "url",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

This API endpoint can be used to update an asset of a program. When the API request is successful, a structured-scope object will be returned.

HTTP Request

PATCH https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}

URI Parameters

Name Description Required Type
program_id The ID of the program.
You can find the program ID by fetching your programs.
Yes Integer
id The ID of the structured scope. Yes Integer

Request Body

Name Description Possible Values Required Type
data This object contains the information to update a structured scope. Yes Object
data/type structured-scope Yes String
data/attributes Yes Object
data/attributes/asset_identifier The identifier of the asset. Yes String
data/attributes/eligible_for_bounty If the asset is eligible for bounty. No Boolean
data/attributes/eligible_for_submission If the asset is eligible for submission. No Boolean
data/attributes/instruction The raw intruction of the asset provided by the program. Markdown is not parsed. No String
data/attributes/confidentiality_requirement A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/integrity_requirement A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/availability_requirement A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. none
low
medium
high
No String
data/attributes/max_severity The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). none
low
medium
high
critical
No String
data/attributes/reference The customer defined reference identifier or tag of the asset. No String




Archive Structured Scope

Archive a structured scope of a program

curl "https://api.hackerone.com/v1/programs/1557/structured_scopes/84" \
  -X DELETE \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "url",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

This API endpoint can be used to archive an asset of a program. When the API request is successful, a structured-scope object will be returned.

HTTP Request

DELETE https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}

URI Parameters

Name Description Required Type
program_id The ID of the program.
You can find the program ID by fetching your programs.
Yes Integer
id The ID of the structured scope. Yes Integer

Get Weaknesses

This resource allows you to retrieve a list of all weaknesses of the program.

Query weaknesses for a program

curl "https://api.hackerone.com/v1/programs/16789/weaknesses?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example Response (200 OK)

{
  "data": [
    {
      "id": "1337",
      "type": "weakness",
      "attributes": {
        "name": "Cross-Site Request Forgery (CSRF)",
        "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
        "created_at": "2016-02-02T04:05:06.000Z",
        "external_id": "cwe-352"
      }
    },
    {
      "id": "1338",
      "type": "weakness",
      "attributes": {
        "name": "SQL Injection",
        "description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
        "created_at": "2016-03-02T04:05:06.000Z",
        "external_id": "cwe-89"
      }
    }
  ],
  "links": {
  }
}

Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/weaknesses

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Thanks to Hackers

This resource allows you to view customer's thanks to hackers.

Query thanks for a program

curl "https://api.hackerone.com/v1/programs/16789/thanks?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
    "data": [
        {
            "type": "thanks_item",
            "attributes": {
                "total_report_count": 1,
                "reputation": 7,
                "recognized_report_count": 1,
                "username": "lorem",
                "user_id": "55"
            }
        },
        {
            "type": "thanks_item",
            "attributes": {
                "total_report_count": 1,
                "reputation": 22,
                "recognized_report_count": 1,
                "username": "ipsum",
                "user_id": "13"
            }
        },
        {
            "type": "thanks_item",
            "attributes": {
                "total_report_count": 5,
                "reputation": 38,
                "recognized_report_count": 3,
                "username": "hacker",
                "user_id": "24"
            }
        }
    ],
    "links": {}
}

Customers thanks items can be fetched by sending a GET request to the thanks endpoint. When the request is successful, the API will respond with paginated thanks items objects.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/thanks

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Common Responses

Query common responses for a program

curl "https://api.hackerone.com/v1/programs/15567/common_responses?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "108878",
      "attributes": {
        "title": "Vulnerability Scanner False Positive",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
      }
    },
    {
      "id": "108886",
      "attributes": {
        "title": "X-XSS-Protection",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
      }
    },
    {
      "id": "108891",
      "attributes": {
        "title": "Video Without Content",
        "message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
      }
    }
  ],
  "links": {
  }
}

Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/common_responses

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Audit Log

Query audit log for a program

curl "https://api.hackerone.com/v1/programs/15567/audit_log?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "1",
      "type": "audit-log-item",
      "attributes": {
        "log": "\"@member\" invited \"someone@example.com\".",
        "event": "invitations.team_members.create",
        "source": "User#1",
        "subject": "Invitation#1",
        "created_at": "2019-05-15T04:05:06.000Z"
      }
    }
  ],
  "links": {
  }
}

Returns a paginated list of the audit log items of the provided program.

This API endpoint allows a user to consume all audit log items that have been created for a particular program.

Required permission: Program Management for consuming the audit log items. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Note: this feature is currently in beta and has not been enabled for all programs.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/audit_log

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Your Programs

Query your programs

curl "https://api.hackerone.com/v1/me/programs" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": "1",
      "type": "program",
      "attributes": {
        "handle": "security",
        "created_at": "2017-01-01T08:00:00.000Z",
        "updated_at": "2017-02-17T04:34:15.910Z"
      }
    }
  ],
  "links": {}
}

This API endpoint allows you to query the program objects that you are a member of. The groups and members relationships are not included in the response.

Use this API endpoint to query all program objects you are a member of.

HTTP Request

GET https://api.hackerone.com/v1/me/programs

Query Parameters

Name Description Required Type
handle The HackerOne handle of the program whose activities you wish to retrieve. Yes String
updated_at_after A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. No DateTime
page This parameter can be used to specify the page number and size the client wants to query. No Object
page[number] The page to retrieve. No Integer
page[size] The number of objects per page; currently limited from 1 to 100. Default: 25 No Integer

Get Balance

Query the current balance for a program

curl "https://api.hackerone.com/v1/programs/13/billing/balance" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": {
    "balance": "12000.00"
  }
}

This API endpoint allows a user to retrieve the current balance of the program.

Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/billing/balance

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Get Payment Transactions

Query payment transactions for a program

curl "https://api.hackerone.com/v1/programs/13/billing/transactions?month=9&year=2019" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "data": [
    {
      "id": 10,
      "activity_date": "2019-09-25T04:22:42.686Z",
      "activity_description": "Bounty for report #9",
      "bounty_award": "1000.00",
      "bounty_fee": "200.00",
      "debit_or_credit_amount": "-1200.00",
      "balance": "-1200.00",
      "report_id": 9,
      "report_url": "http://hackerone.com/reports/9"
    }
  ]
}

This API endpoint allows a user to retrieve a list of program's payment transactions for the selected period. When the request is successful, the API will respond with paginated payment transaction objects of the provided program.

Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

HTTP Request

GET https://api.hackerone.com/v1/programs/{id}/billing/transactions

URI Parameters

Name Description Required Type
id The ID of the program. Yes Integer

Query Parameters

Name Description Required Type
month The month of the transaction period. Default: the current month No Integer
year The year of the transaction period. Default: the current year No Integer

Users

Get User

Read a user

curl "https://api.hackerone.com/v1/users/fransrosen" \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="

Example response (200 OK)

{
  "id": "1634",
  "username": "fransrosen",
  "name": "Frans Rosén",
  "reputation": 1337,
  "disabled": false,
  "signal": 7.0,
  "impact": 30.0,
  "created_at": "2015-13-37T04:05:06.000Z",
  "participating_programs": {
     "data": [{
       "id": "1337",
       "type":"program",
       "attributes": {
         "handle": "security",
         "created_at": "2014-13-37T04:05:06.000Z",
         "updated_at": "2014-13-37T04:05:06.000Z"
       }
      }]
  }
}

A user object can be fetched by providing the username of the given user. When the request is successful, the API will respond with a user object.

HTTP Request

GET https://api.hackerone.com/v1/users/{username}

URI Parameters

Name Description Required Type
username The HackerOne username of the user. Yes String