Core Resources
Activities
Query Activities
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/incremental/activities?handle=string" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/incremental/activities',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
params={
'handle': 'string'
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/incremental/activities',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/incremental/activities?handle=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/incremental/activities?handle=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/incremental/activities", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"type": "activity-bug-filed",
"id": "1337",
"attributes": {
"report_id": "99900",
"message": "",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2017-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"type": "user",
"id": "7331",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
],
"meta": {
"max_updated_at": "2017-02-02T04:05:06.000Z"
},
"links": {
"self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
"next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
}
}
GET /incremental/activities
This endpoint allows you to fetch all activities of your program incrementally by time.
This endpoint is used to:
- Detect a new report or a new activity on a report using a single endpoint.
- Be able to take actions on reports based on user activity. For example, automatically assigning a report after triaging.
- Monitor activities on a program.
The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.
Note: The request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| handle | query | string | true | The HackerOne handle of the program with activities you wish to retrieve. |
| updated_at_after | query | string | false | A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. |
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Programs
Get Your Programs
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/me/programs" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/me/programs',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/me/programs',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/me/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/me/programs',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/programs", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2017-01-01T08:00:00.000Z",
"updated_at": "2017-02-17T04:34:15.910Z"
}
}
],
"links": {}
}
GET /me/programs
This API endpoint allows you to query the program objects that you
are a member of.
The groups and members relationships are not included in the response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Get Audit Log
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/audit_log" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/audit_log',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/audit_log',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/audit_log");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/audit_log',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/audit_log", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "1",
"type": "audit-log-item",
"attributes": {
"log": "\"@member\" invited \"someone@example.com\".",
"event": "invitations.team_members.create",
"source": "User#1",
"subject": "Invitation#1",
"user_agent": "Chrome/11.0",
"country": "US",
"parameters": "{\"identifier\":\"jobert\"}",
"created_at": "2019-05-15T04:05:06.000Z"
}
}
}
GET /programs/{id}/audit_log
Returns a paginated list of the audit log items of the provided program.
This API endpoint allows a user to view all audit log items that have been created for
a particular program.
Required permissions: Program Management. You can view audit log items and
manage the permissions of your API users through your program's settings. Insufficient
permissions will result in a 403 Forbidden response.
Note: This feature is currently in beta and has not been enabled for all programs.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Get Your Programs Balance
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/balance" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/billing/balance',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/billing/balance',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/balance");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/billing/balance',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/balance", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "1337",
"type": "program-balance",
"attributes": {
"balance": "1500.00"
}
}
}
GET /programs/{id}/billing/balance
This API endpoint allows a user to retrieve the current balance for a particular program.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Get Payment Transactions
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/transactions" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/transactions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/billing/transactions',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/transactions", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": 10,
"bounty_award": "1000.00",
"bounty_fee": "200.00",
"activity_date": "2019-09-25T04:22:42.686Z",
"activity_description": "Bounty for report #9",
"report_id": 9,
"report_url": "http://hackerone.com/reports/9",
"debit_or_credit_amount": "-1200.00",
"balance": "-1200.00"
}
GET /programs/{id}/billing/transactions
This API endpoint enables a user to retrieve program's list of payment transactions for
the selected period. When the request is successful, the API will respond with paginated
payment transaction objects of the provided program.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| month | query | integer | false | The month of the transaction period. The default is set to the current month. |
| year | query | integer | false | The year of the transaction period. The default is set to the current year. |
Award Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/bounties" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/bounties',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/bounties',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/bounties',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/bounties", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"data": {
"id": "1",
"type": "bounty",
"attributes": {
"amount": "100.00",
"bonus_amount": "0.00",
"awarded_amount": "100.00",
"awarded_bonus_amount": "0.00",
"awarded_currency": "USD",
"created_at": "2017-02-14T23:07:24.252Z",
"invitations": [
{
"id": "10",
"recipient": "hacker@hackerone.com",
"claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
}
]
}
}
}
POST /programs/{id}/bounties
Use this endpoint to award a bounty. When the API call is successful,
a bounty object will be returned.
Required permissions: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| data | body | object | true | The information required to create a bounty. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» recipient | body | string | false | The email address of the recipient. |
| »» amount | body | number | true | The bounty amount to be awarded. |
| »» reference | body | string | true | An internal reference attached to the report that makes searching or filtering in the future easy. |
| »» title | body | string | true | The title of the security vulnerability that was reported to you. |
| »» currency | body | string | true | none |
| »» severity_rating | body | severity-ratings | false | none |
Detailed descriptions
»» recipient: The email address of the recipient.
When the email address is provided, an email will be sent to the recipient to claim the bounty. When the email address is not provided, you can use the claim URL in the response to notify the recipient yourself. When the user does not have an account yet with HackerOne, they'll be onboarded before they can claim the reward. Users that already have an account, will benefit from collecting the payout easily through HackerOne and will get additional reputation points to showcase on their HackerOne profile.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | bounty |
| »» currency | USD |
| »» severity_rating | none |
| »» severity_rating | low |
| »» severity_rating | medium |
| »» severity_rating | high |
| »» severity_rating | critical |
Get Common Responses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/common_responses" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/common_responses',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/common_responses',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/common_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/common_responses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/common_responses", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "108878",
"attributes": {
"title": "Vulnerability Scanner False Positive",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
}
},
{
"id": "108886",
"attributes": {
"title": "X-XSS-Protection",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
}
},
{
"id": "108891",
"attributes": {
"title": "Video Without Content",
"message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
}
}
],
"links": {}
}
GET /programs/{id}/common_responses
Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Upload Policy Attachments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy_attachments" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy_attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/policy_attachments',
{
method: 'POST',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/policy_attachments", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
POST /programs/{id}/policy_attachments
Policy attachments can be uploaded by sending a POST request to the program policy
attachments endpoint. When the API call is successful, an attachment
object will be returned.
You can use the attachment ID to display the attachment on your policy page. For example,
if the attachment ID is 1337, then include {F1337} in your policy to display the
attachment.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Update Policy
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{id}/policy',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{id}/policy',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/policy',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{id}/policy", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "12",
"type": "program",
"attributes": {
"handle": "security",
"policy": "...",
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2019-08-26T13:53:24.807Z"
}
}
}
PUT /programs/{id}/policy
Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| data | body | object | true | The information to update the policy of a program. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» policy | body | string | true | The new policy that will be set on the program. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | program-policy |
Get Reporters
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/reporters" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/reporters',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/reporters',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/reporters',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/reporters", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "1337",
"type": "user",
"attributes": {
"username": "awesome-hacker",
"name": "Awesome Hacker",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
],
"links": {}
}
GET /programs/{id}/reporters
This resource allows you to retrieve a list of all users that ever
submitted a report to the program.
Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Get Structured Scopes
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
},
{
"id": "58",
"type": "structured-scope",
"attributes": {
"asset_identifier": "www.example.com",
"asset_type": "URL",
"confidentiality_requirement": "low",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2017-02-03T04:05:10.000Z",
"updated_at": "2018-05-02T04:05:10.000Z",
"instruction": "Instruction text",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001002"
}
}
],
"links": {}
}
GET /programs/{id}/structured_scopes
Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scope objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Add Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
POST /programs/{id}/structured_scopes
This endpoint can be used to add an asset to a program. When the API request is successful, a structured scope object will be returned. Please refer to our platform documentation to get more information on the different asset types.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| data | body | object | true | The information to create a structured scope. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» asset_identifier | body | string | true | The identifier of the asset. |
| »» asset_type | body | string | true | The type of asset. |
| »» eligible_for_bounty | body | boolean | false | The eligibility of the asset for bounties. |
| »» eligible_for_submission | body | boolean | false | If the asset is eligible for submission. |
| »» instruction | body | string | false | The raw instruction of the asset provided by the program. Markdown is not parsed. |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset. |
| »» max_severity | body | severity-ratings | false | none |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | structured-scope |
| »» asset_type | CIDR |
| »» asset_type | URL |
| »» asset_type | APPLE_STORE_APP_ID |
| »» asset_type | TESTFLIGHT |
| »» asset_type | OTHER_IPA |
| »» asset_type | GOOGLE_PLAY_APP_ID |
| »» asset_type | OTHER_APK |
| »» asset_type | WINDOWS_APP_STORE_APP_ID |
| »» asset_type | SOURCE_CODE |
| »» asset_type | DOWNLOADABLE_EXECUTABLES |
| »» asset_type | HARDWARE |
| »» asset_type | OTHER |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | medium |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | medium |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | medium |
| »» availability_requirement | high |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
Update Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
PUT /programs/{program_id}/structured_scopes/{id}
This endpoint can be used to update an asset of a program. When the API request is successful, a structured scope object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the structured scope. |
| data | body | object | true | The information to update a structured scope. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» asset_identifier | body | string | true | The identifier of the asset. |
| »» eligible_for_bounty | body | boolean | false | If the asset is eligible for bounty. |
| »» eligible_for_submission | body | boolean | false | If the asset is eligible for submission. |
| »» instruction | body | string | false | The raw instruction of the asset provided by the program (markdown is not parsed). |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset. |
| »» max_severity | body | severity-ratings | false | none |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | structured-scope |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | medium |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | medium |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | medium |
| »» availability_requirement | high |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
Archive Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
-X DELETE \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
DELETE /programs/{program_id}/structured_scopes/{id}
This endpoint can be used to archive an asset of a program. When the API request is successful, a structured scope object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the structured scope. |
Get Awarded Swag
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/swag" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/swag',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/swag',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/swag");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/swag',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/swag", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
},
{
"id": "7",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2019-08-20T03:47:04.163Z"
},
"relationships": {
"user": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "johndoe",
"name": "John Doe",
"disabled": false,
"created_at": "2017-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "John Smith",
"street": "535 Mission Street",
"city": "New York",
"postal_code": "10001",
"state": "NY",
"country": "United States of America",
"created_at": "2017-01-03T07:08:09.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-212-000-0000"
}
}
}
}
}
],
"links": {}
}
GET /programs/{id}/swag
Awarded swag can be fetched by sending a GET request to the swag endpoint. When the request
is successful, the API will respond with paginated swag objects.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Mark Swag as Sent
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "swag",
"attributes": {
"sent": true
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "swag",
"attributes": {
"sent": true
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "swag",
"attributes": {
"sent": true
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/swag/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"swag\",\n \"attributes\": {\n \"sent\": true\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"swag\",\n \"attributes\": {\n \"sent\": true\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"swag\",\n \"attributes\": {\n \"sent\": true\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
}
PUT /programs/{program_id}/swag/{id}
The status of swag can be updated to "sent" through this endpoint. When the request is
successful, the API will respond with a swag object.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. |
| id | path | integer | true | The ID of the swag. |
| data | body | object | true | The information to change the status of swag. |
| » type | body | string | true | The public message posted on the report (this is always required). |
| » attributes | body | object | true | none |
| »» sent | body | boolean | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | swag |
| »» sent | true |
Get Thanks to Hackers
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/thanks" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/thanks',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/thanks',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/thanks");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/thanks',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/thanks", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"type": "thanks-item",
"attributes": {
"total_report_count": 1,
"reputation": 7,
"recognized_report_count": 1,
"username": "lorem",
"user_id": "55"
}
},
{
"type": "thanks-item",
"attributes": {
"total_report_count": 1,
"reputation": 22,
"recognized_report_count": 1,
"username": "ipsum",
"user_id": "56"
}
},
{
"type": "thanks-item",
"attributes": {
"total_report_count": 5,
"reputation": 38,
"recognized_report_count": 3,
"username": "adam",
"user_id": "57"
}
}
],
"links": {}
}
GET /programs/{id}/thanks
This endpoint enables you to view a program's thanks to hackers.
A program's thanks items can be fetched by sending a GET request to the thanks endpoint. When the request is successful, the API will respond with paginated thanks items objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Get Weaknesses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/weaknesses" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/weaknesses',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/weaknesses',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/weaknesses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/weaknesses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/weaknesses", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"created_at": "2016-02-02T04:05:06.000Z",
"external_id": "cwe-352"
}
},
{
"id": "1338",
"type": "weakness",
"attributes": {
"name": "SQL Injection",
"description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
"created_at": "2016-03-02T04:05:06.000Z",
"external_id": "cwe-89"
}
}
],
"links": {}
}
GET /programs/{id}/weaknesses
The Weakness endpoint enables you to retrieve a list of all weaknesses of the program.
Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Get Program
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"groups": {
"data": [
{
"id": "2557",
"type": "group",
"attributes": {
"name": "Standard",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"report_management",
"reward_management"
]
}
},
{
"id": "2558",
"type": "group",
"attributes": {
"name": "Admin",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"user_management",
"program_management"
]
}
}
]
},
"members": {
"data": [
{
"id": "1339",
"type": "member",
"attributes": {
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"program_management",
"report_management",
"reward_management",
"user_management"
]
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
}
}
}
}
GET /programs/{id}
A program object can be fetched by sending a GET request
to a unique program object. When the request is successful, the API
will respond with a program object.
The following program relationships are included: groups, members, custom field attributes and policy attachments.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. Find the program ID by fetching your programs |
Reports
Create Comment
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/activities" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "activity-comment",
"attributes": {
"message": "string",
"internal": true
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "activity-comment",
"attributes": {
"message": "string",
"internal": true
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/activities',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "activity-comment",
"attributes": {
"message": "string",
"internal": true
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/activities',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/activities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"activity-comment\",\n \"attributes\": {\n \"message\": \"string\",\n \"internal\": true\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"activity-comment\",\n \"attributes\": {\n \"message\": \"string\",\n \"internal\": true\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/activities',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"activity-comment\",\n \"attributes\": {\n \"message\": \"string\",\n \"internal\": true\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/activities", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"data": {
"id": "1337",
"type": "activity-comment",
"attributes": {
"message": "A fix has been deployed. Can you retest, please?",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
POST /reports/{id}/activities
Both public and internal comments can be posted with this endpoint.
Comments require a message before they will be posted. If a public comment is
posted, any user that is subscribed to the report will receive a notification
of the created comment. For internal comments, only people that are managing
the program who are subscribed to the report will receive a notification.
Required permissions: Report Management. Enables you to post public comments. Posting internal comments do not require any additional permissions. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to create a comment object for the report. |
| » type | body | string | true | Type of activity. |
| » attributes | body | object | true | none |
| »» message | body | string | true | The message that will be posted. |
| »» internal | body | boolean | true | A boolean that indicates whether the comment should |
Detailed descriptions
»» internal: A boolean that indicates whether the comment should be internal or public. Internal comments are only viewable by the users that manage the program. Public comments are viewable by everyone, including the person that submitted the report.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | activity-comment |
Update Assignee
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/assignee" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"id": 0,
"type": "user",
"attributes": {
"message": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"id": 0,
"type": "user",
"attributes": {
"message": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/assignee',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"id": 0,
"type": "user",
"attributes": {
"message": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/assignee',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/assignee");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"id\": 0,\n \"type\": \"user\",\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"id\": 0,\n \"type\": \"user\",\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/assignee',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"id\": 0,\n \"type\": \"user\",\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/assignee", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": []
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"activities": {
"data": [
{
"id": "1337",
"type": "activity-user-assigned-to-bug",
"attributes": {
"message": "@member Please check this out!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": true
},
"relationships": {
"actor": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api_example_company",
"name": null,
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assigned_user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/assignee
A user or group can be assigned to a report with this endpoint.
An optional message can be specified, which will be posted as an internal
comment to the report subscribers. Only users and groups that are part
of the program can be assigned. It is not possible to assign API users
to a report.
When assigning a single user to a report, that user will automatically be
subscribed to the report. In case a group is assigned to a report, all
users that are part of that group are subscribed to the report. Subscribers
will receive a notification that the report was assigned.
In case the request was successful, the API will respond with the updated
report object.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | Contains the information to assign a user or group object to the report, or to clear the assignee of a report. |
| » id | body | integer | false | The ID of the user or group. This is required unless the type is 'nobody' |
| » type | body | string | true | Specifies whether a user or group should be assigned, or if the assignee should be cleared. |
| » attributes | body | object | false | none |
| »» message | body | string | false | The message that will be posted to the assigned user or group. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | user |
| » type | group |
| » type | nobody |
Award Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounties" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/bounties',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/bounties',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/bounties',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/bounties", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"id": "1337",
"type": "bounty",
"attributes": {
"amount": "500.00",
"bonus_amount": "50.00",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
POST /reports/{id}/bounties
You can use this endpoint to award bounties to the reporter
of the provided report.
Required permissions: Reward Management. You can manage the
permissions of your API users through your program's settings.
Insufficient permissions will result in a 404 Not Found response.
In addition, your program needs to be able to award bounties and the report needs to be eligible for bounties. If either case is false, the call will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information required to create a bounty. |
| » message | body | string | true | The public message posted on the report. This is always required. |
| » amount | body | number | false | The bounty award to award to the reporter. Only amount or bonus amount is required. It must be a positive number and, when provided, must be equal to or greater than your minimum bounty. |
| » bonus_amount | body | number | false | The bonus amount to award to the reporter. Only amount or bonus amount is required. It must be a positive number. |
Mark as Ineligible for Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-ineligible-for-bounty"
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-ineligible-for-bounty"
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-ineligible-for-bounty"
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-ineligible-for-bounty\"\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-ineligible-for-bounty\"\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-ineligible-for-bounty\"\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/ineligible_for_bounty
Marking a report as ineligible for bounty through the HackerOne API can be useful to
programmatically batch update received reports in HackerOne.
Marking a report as ineligible for bounty can be done through this endpoint. This API
endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to mark a report as ineligible for bounty. |
| » type | body | string | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-ineligible-for-bounty |
List bounty suggestions
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounty_suggestions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "bounty",
"attributes": {
"amount": "500.00",
"bonus_amount": "50.00",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
GET /reports/{id}/bounty_suggestions
This API endpoint allows a user to retrieve a list of bounty suggestions for a report.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
Create bounty suggestion
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounty_suggestions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"id": "1337",
"type": "activity-bounty-suggested",
"attributes": {
"message": "Bounty Suggested!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": true,
"bounty_amount": "500",
"bonus_amount": "50"
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
POST /reports/{id}/bounty_suggestions
You can use this endpoint to suggest bounties to the provided report.
Required permissions: Reward Management or Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | none |
| » message | body | string | true | (Always required) The internal message posted on the report. Only viewable by team members. |
| » amount | body | integer | false | The suggested bounty award to award the reporter. Only amount or bonus amount is required. It must be a positive number, and, when provided, must be equal to or greater than your minimum amount. |
| » bonus_amount | body | integer | false | The suggested bonus amount to award to the reporter. Only amount or bonus amount is required. It must be a positive number. |
Close Comments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/close_comments" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "activity-comments-closed"
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "activity-comments-closed"
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/close_comments',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "activity-comments-closed"
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/close_comments',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/close_comments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"activity-comments-closed\"\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"activity-comments-closed\"\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/close_comments',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"activity-comments-closed\"\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/close_comments", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "activity-comments-closed",
"attributes": {
"message": "Comments Closed!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
PUT /reports/{id}/close_comments
A report can only be locked once. This API endpoint
cannot be used for reports that have been reported outside of the
HackerOne platform or reported to other teams.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to lock the report. |
| » type | body | string | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | activity-comments-closed |
Manage Custom Field Values
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/custom_field_values" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"attributes": {
"custom_field_attribute_id": 0,
"value": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"attributes": {
"custom_field_attribute_id": 0,
"value": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/custom_field_values',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"attributes": {
"custom_field_attribute_id": 0,
"value": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/custom_field_values',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/custom_field_values");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"attributes\": {\n \"custom_field_attribute_id\": 0,\n \"value\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"attributes\": {\n \"custom_field_attribute_id\": 0,\n \"value\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/custom_field_values',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"attributes\": {\n \"custom_field_attribute_id\": 0,\n \"value\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/custom_field_values", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "custom-field-value",
"attributes": {
"value": "Infrastructure",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"custom_field_attribute": {
"data": {
"id": "287",
"type": "custom-field-attribute",
"attributes": {
"label": "Product Squad",
"configuration": null,
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2013-01-01T00:00:00.000Z",
"archived_at": null
}
}
}
}
}
POST /reports/{id}/custom_field_values
You can use this endpoint to create / update the Custom
Field Values of the provided report. If the report already has a
value for the provided Custom Field Attribute ID, the value will
be replaced. To get a list of existing Custom Field Attributes,
see program. This feature is only available to select programs
at this time.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information required to create a Custom Field Value. |
| » attributes | body | object | true | none |
| »» custom_field_attribute_id | body | integer | true | The Custom Field Attribute ID for which a value needs to be set. A complete list of available Custom Field Attribute IDs is exposed on the Program object. |
| »» value | body | string | false | The value that needs to be set for the given Custom Field Attribute. Leave this field empty to remove a Custom Field Attribute from a report. |
Update Disclosure Request
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/disclosure_requests" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"attributes": {
"substate": "full",
"message": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"attributes": {
"substate": "full",
"message": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"attributes": {
"substate": "full",
"message": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/disclosure_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"attributes\": {\n \"substate\": \"full\",\n \"message\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"attributes\": {\n \"substate\": \"full\",\n \"message\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"attributes\": {\n \"substate\": \"full\",\n \"message\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/disclosure_requests", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "activity-agreed-on-going-public",
"attributes": {
"message": "Agreed On Going Public!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
POST /reports/{id}/disclosure_requests
The program can request disclosure for any closed report.
You can use this endpoint to create the disclosure request for the report which will result in:
The agreement to disclose the report if the reporter has already requested the disclosure. The contents of the report will be made public instantly. The time when the report was disclosed will be returned in the 'disclosed_at' attribute.
The disclosure request if the reporter hasn't requested the disclosure yet. If the reporter doesn't either approve or deny disclosure request from the program, the contents of the report will be auto-disclosed within 30 days. The 'allow_singular_disclosure_at' attribute value will show when the report will be disclosed.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information about disclosure request. |
| » attributes | body | object | true | none |
| »» substate | body | string | true | Select whether you want to disclose the full report ("full") or a |
| »» message | body | string | false | Additional information |
Detailed descriptions
»» substate: Select whether you want to disclose the full report ("full") or a limited version ("no-content"). Possible values: full, no-content
Enumerated Values
| Parameter | Value |
|---|---|
| »» substate | full |
| »» substate | no-content |
Cancel Disclosure Request
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/disclosure_requests" \
-X DELETE \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {}
}
r = requests.delete(
'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {}
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/disclosure_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {}\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {}\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
{
method: 'DELETE',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {}\n}"`))
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/reports/{id}/disclosure_requests", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "activity-cancelled-disclosure-request",
"attributes": {
"message": "Cancel disclosure 1",
"created_at": "2019-10-23T13:35:35.616Z",
"updated_at": "2019-10-23T13:35:35.616Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api_user",
"name": null,
"disabled": false,
"created_at": "2019-10-14T13:59:49.563Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
}
}
}
DELETE /reports/{id}/disclosure_requests
The program can cancel the disclosure request for the provided report.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | none |
Add participant
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/participants" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-participant",
"attributes": {
"email": "string",
"username": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-participant",
"attributes": {
"email": "string",
"username": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/participants',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-participant",
"attributes": {
"email": "string",
"username": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/participants',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/participants");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-participant\",\n \"attributes\": {\n \"email\": \"string\",\n \"username\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-participant\",\n \"attributes\": {\n \"email\": \"string\",\n \"username\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/participants',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-participant\",\n \"attributes\": {\n \"email\": \"string\",\n \"username\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/participants", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "117",
"type": "report-participant",
"attributes": {
"report_id": "1337",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
POST /reports/{id}/participants
Participants can be added through this endpoint by an email address or a HackerOne username.
It can be useful to programmatically batch update received reports in HackerOne.
This API endpoint cannot be used for reports that are published and have been reported
outside of the HackerOne platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to add a participant. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| body | string | false | The email address of the participant. Required when username is not provided. | |
| »» username | body | string | false | The HackerOne username of the participant. Required when email address is not provided. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-participant |
Redact report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/redact" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-redact",
"attributes": {
"string_to_redact": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-redact",
"attributes": {
"string_to_redact": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/redact',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-redact",
"attributes": {
"string_to_redact": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/redact',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/redact");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-redact\",\n \"attributes\": {\n \"string_to_redact\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-redact\",\n \"attributes\": {\n \"string_to_redact\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/redact',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-redact\",\n \"attributes\": {\n \"string_to_redact\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/redact", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/redact
Reports can be redacted through this endpoint. It can be useful to programmatically batch
update received reports in HackerOne. This API endpoint cannot be used for reports that
have been reported outside of the HackerOne platform.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to redact a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» string_to_redact | body | string | true | The content to be redacted from the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-redact |
Update Severity
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/severities" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/severities',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/severities',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/severities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"id\": \"57\",\n \"type\": \"severity\",\n \"attributes\": {\n \"rating\": \"high\",\n \"author_type\": \"User\",\n \"user_id\": 1337,\n \"created_at\": \"2016-02-02T04:05:06.000Z\",\n \"score\": 8.7,\n \"attack_complexity\": \"low\",\n \"attack_vector\": \"adjacent\",\n \"availability\": \"high\",\n \"confidentiality\": \"low\",\n \"integrity\": \"high\",\n \"privileges_required\": \"low\",\n \"user_interaction\": \"required\",\n \"scope\": \"changed\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"id\": \"57\",\n \"type\": \"severity\",\n \"attributes\": {\n \"rating\": \"high\",\n \"author_type\": \"User\",\n \"user_id\": 1337,\n \"created_at\": \"2016-02-02T04:05:06.000Z\",\n \"score\": 8.7,\n \"attack_complexity\": \"low\",\n \"attack_vector\": \"adjacent\",\n \"availability\": \"high\",\n \"confidentiality\": \"low\",\n \"integrity\": \"high\",\n \"privileges_required\": \"low\",\n \"user_interaction\": \"required\",\n \"scope\": \"changed\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/severities',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"id\": \"57\",\n \"type\": \"severity\",\n \"attributes\": {\n \"rating\": \"high\",\n \"author_type\": \"User\",\n \"user_id\": 1337,\n \"created_at\": \"2016-02-02T04:05:06.000Z\",\n \"score\": 8.7,\n \"attack_complexity\": \"low\",\n \"attack_vector\": \"adjacent\",\n \"availability\": \"high\",\n \"confidentiality\": \"low\",\n \"integrity\": \"high\",\n \"privileges_required\": \"low\",\n \"user_interaction\": \"required\",\n \"scope\": \"changed\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/severities", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
POST /reports/{id}/severities
You can use this endpoint to create or update the severity of
the provided report. If the report already has a severity, a new one
will be created and used as the current severity.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | severity | true | A severity object represents the severity of a report, if provided by the reporter or |
| » id | body | string | true | The unique ID of the severity. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» rating | body | severity-ratings | true | none |
| »» author_type | body | string | true | The involved party that provided the severity. |
| »» user_id | body | integer | true | The unique id of the user who created the object. |
| »» score | body | number¦null | false | The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). |
| »» attack_vector | body | string¦null | false | A CVSS metric that reflects the context by which vulnerability exploritation |
| »» attack_complexity | body | string | false | A CVSS metric that describes the conditions beyond the attacker's control that must exist |
| »» privileges_required | body | string | false | A CVSS metric that describes the level of privileges an attacker must possess before |
| »» user_interaction | body | string | false | A CVSS metric that captures the requirement for a user, other than the attacker, to |
| »» scope | body | string¦null | false | A CVSS metric that determines if a successful attack impacts a component other than the |
| »» confidentiality | body | string | false | A CVSS metric that measures the impact to the confidentiality of the information resources |
| »» integrity | body | string | false | A CVSS metric that measures the impact to the integrity of a successfully exploited |
| »» availability | body | string | false | A CVSS metric that measures the availability of the impacted component resulting from a |
| »» created_at | body | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Detailed descriptions
data: A severity object represents the severity of a report, if provided by the reporter or a team member.
»» score: The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). Only present if CVSS metrics were provided.
»» attack_vector: A CVSS metric that reflects the context by which vulnerability exploritation is possible.
»» attack_complexity: A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.
»» privileges_required: A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.
»» user_interaction: A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component.
»» scope: A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component.
»» confidentiality: A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.
»» integrity: A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability.
»» availability: A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | severity |
| »» rating | none |
| »» rating | low |
| »» rating | medium |
| »» rating | high |
| »» rating | critical |
| »» author_type | User |
| »» author_type | Team |
| »» attack_vector | network |
| »» attack_vector | adjacent |
| »» attack_vector | local |
| »» attack_vector | physical |
| »» attack_complexity | low |
| »» attack_complexity | high |
| »» privileges_required | none |
| »» privileges_required | low |
| »» privileges_required | high |
| »» user_interaction | none |
| »» user_interaction | required |
| »» scope | unchanged |
| »» scope | changed |
| »» confidentiality | none |
| »» confidentiality | low |
| »» confidentiality | high |
| »» integrity | none |
| »» integrity | low |
| »» integrity | high |
| »» availability | none |
| »» availability | low |
| »» availability | high |
Change State
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/state_changes" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "state-change",
"attributes": {
"message": "string",
"state": "new",
"original_report_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "state-change",
"attributes": {
"message": "string",
"state": "new",
"original_report_id": 0
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/state_changes',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "state-change",
"attributes": {
"message": "string",
"state": "new",
"original_report_id": 0
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/state_changes',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/state_changes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"state-change\",\n \"attributes\": {\n \"message\": \"string\",\n \"state\": \"new\",\n \"original_report_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"state-change\",\n \"attributes\": {\n \"message\": \"string\",\n \"state\": \"new\",\n \"original_report_id\": 0\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/state_changes',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"state-change\",\n \"attributes\": {\n \"message\": \"string\",\n \"state\": \"new\",\n \"original_report_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/state_changes", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
201 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
POST /reports/{id}/state_changes
Changing the state of a report can be done through this endpoint. Closing a report as
resolved will automatically recognize the finder in the program's hall of fame and
reputation will be given. If a report is closed as N/A, Informative, or Spam, reputation
will be deducted from the finder's track record.
There is currently 1 feature missing in the state change API: the ability to invite the
finder of the duplicate to the original report. This feature will be implemented in a future
version of the API.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the state of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» message | body | string | true | The message that will be posted. Required when the new state is needs-more-info, informative, or duplicate. |
| »» state | body | report-states | true | none |
| »» original_report_id | body | integer | false | The ID of the report to use as the original report. Only available when closing the report as duplicate. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | state-change |
| »» state | new |
| »» state | triaged |
| »» state | needs-more-info |
| »» state | resolved |
| »» state | not-applicable |
| »» state | informative |
| »» state | duplicate |
| »» state | spam |
Update Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/structured_scope" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": 0
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/structured_scope',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": 0
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/structured_scope',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/structured_scope");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-structured-scope\",\n \"attributes\": {\n \"structured_scope_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-structured-scope\",\n \"attributes\": {\n \"structured_scope_id\": 0\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/structured_scope',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-structured-scope\",\n \"attributes\": {\n \"structured_scope_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/structured_scope", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/structured_scope
Changing the structured scope of a report can be done through this endpoint. This API
endpoint cannot be used for reports that have been reported outside of the HackerOne
platform.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the structured scope of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» structured_scope_id | body | integer | true | The new structured scope that will be set on the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-structured-scope |
Add Summary
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/summaries" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-summary",
"attributes": {
"content": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-summary",
"attributes": {
"content": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/summaries',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-summary",
"attributes": {
"content": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/summaries',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/summaries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-summary\",\n \"attributes\": {\n \"content\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-summary\",\n \"attributes\": {\n \"content\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/summaries',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-summary\",\n \"attributes\": {\n \"content\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/summaries", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "report-summary",
"attributes": {
"content": "There was a cross-site scripting vulnerability in our login form.",
"category": "team",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
POST /reports/{id}/summaries
This API endpoint enables the user to create a report summary
for reports that are received by teams that the user is a part of.
A team can only include a single report summary. This API endpoint
cannot be used for reports that have been reported outside of the HackerOne
platform or reported to other teams.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information necessary to create a report summary. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» content | body | string | true | The content to be included in the report summary. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-summary |
Award Swag
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/swags" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"message": "string"
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"message": "string"
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/swags',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"message": "string"
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/swags',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/swags");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"message\": \"string\"\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"message\": \"string\"\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/swags',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"message\": \"string\"\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/swags", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "1337",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "W_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
POST /reports/{id}/swags
You can use this endpoint to award swag to the reporter of the provided report.
Required permissions: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information required to award swag. |
| » message | body | string | true | The public message posted on the report. This is always required. |
Update Title
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/title" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-title",
"attributes": {
"title": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-title",
"attributes": {
"title": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/title',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-title",
"attributes": {
"title": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/title',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/title");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-title\",\n \"attributes\": {\n \"title\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-title\",\n \"attributes\": {\n \"title\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/title',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-title\",\n \"attributes\": {\n \"title\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/title", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
},
"activities": {
"data": [
{
"type": "activity-comment",
"id": "445",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
},
{
"id": "1337",
"type": "activity-bug-resolved",
"attributes": {
"message": "Bug Resolved!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
},
"triggered_pre_submission_trigger": {
"data": {
"id": "1337",
"type": "trigger",
"attributes": {
"title": "Example Trigger"
}
}
},
"custom_field_values": {
"data": []
}
}
}
}
PUT /reports/{id}/title
Changing the title of a report through the HackerOne API can be useful to
programmatically batch update received reports in HackerOne. This API endpoint
cannot be used for reports that have been reported outside of the HackerOne
platform.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the title of a report. |
| » type | body | string | true | none |
| » attributes | body | object | false | none |
| »» title | body | string | true | The new title that will be set on the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-title |
Transfer Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/transfer" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-transfer",
"attributes": {
"target_team_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-transfer",
"attributes": {
"target_team_id": 0
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/transfer',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-transfer",
"attributes": {
"target_team_id": 0
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/transfer',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/transfer");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-transfer\",\n \"attributes\": {\n \"target_team_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-transfer\",\n \"attributes\": {\n \"target_team_id\": 0\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/transfer',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-transfer\",\n \"attributes\": {\n \"target_team_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/transfer", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"was_successful": true
}
PUT /reports/{id}/transfer
The program can transfer reports between parent and child programs.
You can use this endpoint to transfer the reports between parent and child programs.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to transfer the report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» target_team_id | body | number | true | ID of the target team the reports should be transferred to. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-transfer |
Update Weakness
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/weakness" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": 0
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/weakness',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": 0
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/weakness',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/weakness");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-weakness\",\n \"attributes\": {\n \"weakness_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-weakness\",\n \"attributes\": {\n \"weakness_id\": 0\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/weakness',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-weakness\",\n \"attributes\": {\n \"weakness_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/weakness", data)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"id": "77",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2019-08-20T14:26:19.286Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
"first_program_activity_at": "2019-08-20T14:26:20.531Z",
"last_program_activity_at": "2019-08-20T15:25:56.627Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": "2019-08-20T15:25:56.627Z",
"last_activity_at": "2019-08-20T15:25:56.627Z",
"cve_ids": []
},
"relationships": {
"weakness": {
"data": {
"id": "77",
"type": "weakness",
"attributes": {
"name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
"description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
"external_id": "cwe-350",
"created_at": "2019-07-12T08:36:13.646Z"
}
}
}
}
}
PUT /reports/{id}/weakness
Changing the weakness of a report can be done through this endpoint.
This API endpoint cannot be used for reports that have been reported
outside of the HackerOne platform.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the weakness of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» weakness_id | body | integer | true | The new weakness that will be set on the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-weakness |
Get All Reports
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=string" \
-X GET \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/reports',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
params={
'filter[program][]': [
"string"
]
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/reports',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports", nil)
req.Header = headers
req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
200 Response
{
"data": [
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"last_activity_at": null,
"last_public_activity_at": null,
"swag_awarded_at": null,
"disclosed_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"bounties": {
"data": []
}
}
},
{
"id": "1338",
"type": "report",
"attributes": {
"title": "CSRF in admin panel",
"state": "triaged",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": "2016-02-03T03:01:36.000Z",
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"issue_tracker_reference_id": "T554",
"issue_tracker_reference_url": "https://phabricator.tld/T554",
"cve_ids": []
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"bounties": {
"data": []
}
}
},
"..."
],
"links": {
"self": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=1",
"next": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=5"
}
}
GET /reports
Multiple report objects can be queried that meet certain filtering criteria by sending a GET request to the reports endpoint. When the request is successful, the API will respond with paginated report objects.
The following report relationships are included: reporter, assignee (a user or group), weakness, program, severity, structured scope, bounties, and custom field values.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| filter[program][] | query | array[string] | true | Filter by the program handles you want to fetch the reports for. |
| filter[reporter][] | query | array[string] | false | Filter by the hacker's username you want to fetch the reports for. |
| filter[assignee][] | query | array[string] | false | Filter by the assignee's usernames, emails or group names you want to fetch the reports for. |
| filter[state][] | query | array[string] | false | Filter by current report state. |
| filter[id][] | query | array[integer] | false | Filter by report ID. |
| filter[weakness_id][] | query | array[integer] | false | Filter by weakness. |
| filter[severity][] | query | array[string] | false | Filter by the severity ratings you want to fetch the reports for. |
| filter[hacker_published] | query | boolean | false | Filter by reports that are published by hackers, depending on the value of the parameter. |
| filter[created_at__gt] | query | any(date-time) | false | Filter by reports that were created after the date specified. |
| filter[created_at__lt] | query | any(date-time) | false | Filter by reports that were created before the date specified. |
| filter[triaged_at__gt] | query | any(date-time) | false | Filter by reports that were triaged after the date specified. |
| filter[triaged_at__lt] | query | any(date-time) | false | Filter by reports that were triaged before the date specified. |
| filter[triaged_at__null] | query | boolean | false | Filter by reports that are triaged or not, depending on the value of this parameter. |
| filter[closed_at__gt] | query | any(date-time) | false | Filter by reports that were closed after the date specified. |
| filter[closed_at__lt] | query | any(date-time) | false | Filter by reports that were closed before the date specified. |
| filter[closed_at__null] | query | boolean | false | Filter by reports that are closed or not, depending on the value of this parameter. |
| filter[disclosed_at__gt] | query | any(date-time) | false | Filter by reports that were disclosed after the date specified. |
| filter[disclosed_at__lt] | query | any(date-time) | false | Filter by reports that were disclosed before the date specified. |
| filter[disclosed_at__null] | query | boolean | false | Filter by reports that are disclosed. |
| filter[reporter_agreed_on_going_public] | query | boolean | false | Filter by reports that have the hacker disclosure request. |
| filter[bounty_awarded_at__gt] | query | any(date-time) | false | Filter by reports that have a bounty awarded after the date specified. |
| filter[bounty_awarded_at__lt] | query | any(date-time) | false | Filter by reports that have a bounty awarded before the date specified. |
| filter[bounty_awarded_at__null] | query | boolean | false | Filter by reports that have a bounty awarded. |
| filter[swag_awarded_at__gt] | query | any(date-time) | false | Filter by reports that have swag awarded after the date specified. |
| filter[swag_awarded_at__lt] | query | any(date-time) | false | Filter by reports that have swag awarded before the date specified. |
| filter[swag_awarded_at__null] | query | boolean | false | Filter by reports that have swag awarded or not, depending on the value of this parameter. |
| filter[last_reporter_activity_at__gt] | query | any(date-time) | false | Filter by reports that received an update from the reporter after the date specified. |
| filter[last_reporter_activity_at__lt] | query | any(date-time) | false | Filter by reports that received an update from the reporter before the date specified. |
| filter[first_program_activity_at__gt] | query | any(date-time) | false | Filter by reports that received the first update from the program after the date specified. |
| filter[first_program_activity_at__lt] | query | any(date-time) | false | Filter by reports that received the first update from the program before the date specified. |
| filter[first_program_activity_at__null] | query | boolean | false | Filter by reports where the reporter received an update. |
| filter[last_program_activity_at__gt] | query | any(date-time) | false | Filter by reports that received an update from the program after the date specified. |
| filter[last_program_activity_at__lt] | query | any(date-time) | false | Filter by reports that received an update from the program before the date specified. |
| filter[last_activity_at__gt] | query | any(date-time) | false | Filter by reports that received an update after the date specified. |
| filter[last_activity_at__lt] | query | any(date-time) | false | Filter by reports that received an update before the date specified. |
| filter[last_public_activity_at__gt] | query | any(date-time) | false | Filter by reports that received a public update after the date specified. |
| filter[last_public_activity_at__lt] | query | any(date-time) | false | Filter by reports that received a public update after the date specified. |
| filter[keyword] | query | string | false | Filter reports by title and keywords. |
| filter[custom_fields][] | query | array[object] | false | Filter reports by a Custom Field Label and Value. |
| sort | query | any | false | The attributes and order to sort the reports on. |
| page[number] | query | any | false | The page to retrieve from. |
| page[size] | query | any | false | The number of objects per page (currently limited from 1 to 100). |
Detailed descriptions
sort: The attributes and order to sort the reports on.
This parameter may contain multiple attributes that the reports should be sorted on. Sorting is applied in the specified order of attributes. If an attribute should be sorted descending, prepend a hyphen (-).
The following attributes can be used for sorting: reports.swag_awarded_at, reports.bounty_awarded_at, reports.last_reporter_activity_at, reports.first_program_activity_at, reports.last_program_activity_at, reports.triaged_at, reports.created_at, reports.closed_at, reports.last_public_activity_at, reports.last_activity_at, and reports.disclosed_at.
Enumerated Values
| Parameter | Value |
|---|---|
| filter[state][] | new |
| filter[state][] | triaged |
| filter[state][] | needs-more-info |
| filter[state][] | resolved |
| filter[state][] | not-applicable |
| filter[state][] | informative |
| filter[state][] | duplicate |
| filter[state][] | spam |
| filter[severity][] | none |
| filter[severity][] | low |
| filter[severity][] | medium |
| filter[severity][] | high |
| filter[severity][] | critical |
Create Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0,
"source": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0,
"source": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports',
auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0,
"source": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports',
password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
user: 'api_example_company',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0,\n \"source\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0,\n \"source\": \"string\"\n }\n }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0,\n \"source\