Core Resources
Reports
This API is built around reports as its core resource. The report object contains the information that hackers submitted to a program, the interactions the program users had with the report, and all additional meta information like bounties, swag, and internal references.
The next section will give an overview of what a Report object looks like. The sections after that will show the endpoints that have been implemented for this resource.
Get All Reports
Multiple report objects can be queried that meet certain filtering criteria by sending a GET request to the reports endpoint. When the request is successful, the API will respond with paginated report objects.
The following report relationships are included: reporter, assignee (a user or group), weakness, program, severity, structured scope, bounties, and custom field values.
Query reports
curl "https://api.hackerone.com/v1/reports?filter\[program\]\[\]=john_doe_example_company" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"last_activity_at": null,
"last_public_activity_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
},
"bounties": {
"data": [
]
},
"custom_field_values": {
"data": [
]
}
}
},
{
"id": "1338",
"type": "report",
"attributes": {
"title": "CSRF in admin panel",
"state": "triaged",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": "2016-02-03T03:01:36.000Z",
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"issue_tracker_reference_id": "T554",
"issue_tracker_reference_url": "https://phabricator.tld/T554",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "group",
"attributes": {
"name": "Admin",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"user_management",
"report_management"
]
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "64",
"type": "severity",
"attributes": {
"rating": "medium",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 6.3,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "medium",
"confidentiality": "low",
"integrity": "medium",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "64",
"type": "structured-scope",
"attributes": {
"asset_identifier": "example.com",
"asset_type": "url",
"confidentiality_requirement": "medium",
"integrity_requirement": "low",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-03-04T04:05:06.000Z",
"updated_at": "2017-06-04T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "T12345"
}
}
},
"bounties": {
"data": [
]
},
"custom_field_values": {
"data": [
]
}
}
},
"..."
],
"links": {
"self": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=1",
"next": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=5"
}
}
HTTP Request
GET https://api.hackerone.com/v1/reports
Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| filter | Filters that can be used to drill-down reports. | Yes | object |
| filter[program] | The program handles you want to fetch the reports for. | Yes | String[] |
| filter[reporter] | The user usernames you want to fetch the reports for. | No | String[] |
| filter[assignee] | The assigned user usernames, emails or group names you want to fetch the reports for. | No | String[] |
| filter[state] | Allows to filter by current report state. Default: ["new", "triaged", "needs-more-info", "resolved", "not-applicable", "informative", "duplicate", "spam"] Possible values: new triaged needs-more-info resolved not-applicable informative duplicate spam |
No | String[] |
| filter[id] | Allows to filter by report ID. | No | Integer[] |
| filter[weakness_id] | Allows to filter by weaknesses. | No | Integer[] |
| filter[severity] | The severity ratings you want to fetch the reports for. Default: ["none", "low", "medium", "high", "critical"] Possible values: none low medium high critical |
No | String[] |
| filter[hacker_published] | Allows to filter by reports that are published by hackers, depending on the value of this parameter. | No | Boolean |
| filter[created_at__gt] | Allows to filter by reports that were created after the date specified in this parameter. | No | Date |
| filter[created_at__lt] | Allows to filter by reports that were created before the date specified in this parameter. | No | Date |
| filter[triaged_at__gt] | Allows to filter by reports that were triaged after the date specified in this parameter. | No | Date |
| filter[triaged_at__lt] | Allows to filter by reports that were triaged before the date specified in this parameter. | No | Date |
| filter[triaged_at__null] | Allows to filter by reports that are triaged or not, depending on the value of this parameter. | No | Boolean |
| filter[closed_at__gt] | Allows to filter by reports that were closed after the date specified in this parameter. | No | Date |
| filter[closed_at__lt] | Allows to filter by reports that were closed before the date specified in this parameter. | No | Date |
| filter[closed_at__null] | Allows to filter by reports that are closed or not, depending on the value of this parameter. | No | Boolean |
| filter[disclosed_at__gt] | Allows to filter by reports that were disclosed after the date specified in this parameter. | No | Date |
| filter[disclosed_at__lt] | Allows to filter by reports that were disclosed before the date specified in this parameter. | No | Date |
| filter[disclosed_at__null] | Allows to filter by reports that are disclosed or not, depending on the value of this parameter. | No | Boolean |
| filter[reporter_agreed_on_going_public] | Allows to filter by reports that have or don't have the hacker disclosure request, depending on the value of this parameter. | No | Boolean |
| filter[bounty_awarded_at__gt] | Allows to filter by reports that has a bounty awarded after the date specified in this parameter. | No | Date |
| filter[bounty_awarded_at__lt] | Allows to filter by reports that has a bounty awarded after the date specified in this parameter. | No | Date |
| filter[bounty_awarded_at__null] | Allows to filter by reports that have a bounty awarded or not, depending on the value of this parameter. | No | Boolean |
| filter[swag_awarded_at__gt] | Allows to filter by reports that has swag awarded after the date specified in this parameter. | No | Date |
| filter[swag_awarded_at__lt] | Allows to filter by reports that has swag awarded after the date specified in this parameter. | No | Date |
| filter[swag_awarded_at__null] | Allows to filter by reports that have swag awarded or not, depending on the value of this parameter. | No | Boolean |
| filter[last_reporter_activity_at__gt] | Allows to filter by reports that received an update from the reporter after the date specified in this parameter. | No | Date |
| filter[last_reporter_activity_at__lt] | Allows to filter by reports that received an update from the reporter before the date specified in this parameter. | No | Date |
| filter[first_program_activity_at__gt] | Allows to filter by reports that received the first update from the program after the date specified in this parameter. | No | Date |
| filter[first_program_activity_at__lt] | Allows to filter by reports that received the first update from the program before the date specified in this parameter. | No | Date |
| filter[first_program_activity_at__null] | Allows to filter by reports where the reporter received an update from the program or not, depending on the value of this parameter. | No | Boolean |
| filter[last_program_activity_at__gt] | Allows to filter by reports that received an update from the program after the date specified in this parameter. | No | Date |
| filter[last_program_activity_at__lt] | Allows to filter by reports that received an update from the program before the date specified in this parameter. | No | Date |
| filter[last_activity_at__gt] | Allows to filter by reports that received an update after the date specified in this parameter. | No | Date |
| filter[last_activity_at__lt] | Allows to filter by reports that received an update before the date specified in this parameter. | No | Date |
| filter[last_public_activity_at__gt] | Allows to filter by reports that received a public update after the date specified in this parameter. | No | Date |
| filter[last_public_activity_at__lt] | Allows to filter by reports that received a public update before the date specified in this parameter. | No | Date |
| filter[keyword] | Allows to filter reports by title and details keyword. | No | String |
| filter[custom_fields] | Allows to filter by reports by a Custom Field Label and Value. | No | Custom-Field-Input[] |
| page | This parameter can be used to specify the page number and size the client wants to query. | No | object |
| page[number] | The page to retrieve. Default: 1 |
No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 |
No | Integer |
| sort | The attributes and order to sort the reports on. This parameter may contain multiple attributes that the reports should be sorted on. Sorting is applied in the specified order of attributes. If an attribute should be sorted descending, prepend a hyphen (-). The following attributes can be used for sorting: reports.swag_awarded_at, reports.bounty_awarded_at, reports.last_reporter_activity_at, reports.first_program_activity_at, reports.last_program_activity_at, reports.triaged_at, reports.created_at, reports.closed_at, reports.last_public_activity_at, reports.last_activity_at, and reports.disclosed_at. Default: -reports.created_at |
No | String |
Get Report
Read a report
curl "https://api.hackerone.com/v1/reports/129329" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example Response (200 OK)
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"swag": {
"data": [
]
},
"attachments": {
"data": [
]
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
},
"activities": {
"data": [
{
"type": "activity-comment",
"id": "445",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
},
{
"id": "1337",
"type": "activity-bug-resolved",
"attributes": {
"message": "Bug Resolved!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": [
]
},
"summaries": {
"data": [
]
},
"triggered_pre_submission_trigger": {
"data": {
"id": "1337",
"type": "trigger",
"attributes": {
"title": "Example Trigger"
}
}
},
"custom_field_values": {
"data": [
]
}
}
}
}
A report object can be fetched by sending a GET request to a unique report object. In case the request was successful, the API will respond with a report object.
The following report relationships are included: reporter, assignee (a user or group), program, weakness, severity, bounties, swag,activities, attachments, structured scope, summaries, triggered pre-submission trigger, and custom field values.
HTTP Request
GET https://api.hackerone.com/v1/reports/{id}
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Create Report
Create a report for a program
curl "https://api.hackerone.com/v1/reports" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "report",
"attributes": {
"team_handle": "security",
"title": "XSS in login form",
"vulnerability_information": "...",
"impact": "...",
"severity_rating": "medium",
"weakness_id": "1337",
"structured_scope_id": "287",
"source": "detectify"
}
}
}
EOD
Example response (200 OK)
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": [
]
},
"attachments": {
"data": [
]
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"activities": {
"data": [
]
},
"bounties": {
"data": [
]
},
"summaries": {
"data": [
]
}
}
}
}
This API endpoint can be used to import (known) vulnerabilities into the HackerOne platform, to use these for duplicate detection or central vulnerability management. When the API call is successful, a report objects object will be returned.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
POST https://api.hackerone.com/v1/reports
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to create a report. | Yes | Object | |
| data/type | report | Yes | String | |
| data/attributes | Yes | Object | ||
| data/attributes/team_handle | The handle of the team that the report is being submitted to. | Yes | String | |
| data/attributes/title | The title of the report. | Yes | String | |
| data/attributes/vulnerability_information | Detailed information about the vulnerability including the steps to reproduce and supporting material/references. | Yes | String | |
| data/attributes/impact | The security impact that an attacker could achieve. | Yes | String | |
| data/attributes/severity_rating | The severity rating of the security vulnerability. | none low medium high critical |
No | String |
| data/attributes/weakness_id | The ID of the Weakness object that describes the type of the potential issue. | No | Integer | |
| data/attributes/structured_scope_id | The ID of the StructuredScope object that describes the attack surface. | No | Integer | |
| data/attributes/source | A free-form string defining the source of the report for tracking purposes. For example, "detectify", "rapid7" or "jira". | Yes | String |
Update Title
Changing the title of a report through the HackerOne API can be useful to programmatically batch update received reports in HackerOne.
Update the title of a report
curl "https://api.hackerone.com/v1/reports/129329/title" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "report-title",
"attributes": {
"title": "Report Title Updated!"
}
}
}
EOD
Example response (200 OK)
{
"id": "1337",
"type": "activity-report-title-updated",
"attributes": {
"message": "Report Title Updated!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false,
"old_title": "xss",
"new_title": "XSS in login form"
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
Changing the title of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
PUT https://api.hackerone.com/v1/reports/{id}/title
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information to change the title of a report. | Yes | Object |
| data/type | Possible values: report-title | Yes | String |
| data/attributes | Yes | Object | |
| data/attributes/title | The new title that will be set on the report. | Yes | String |
Update Structured Scope
Update the structured scope of a report
curl "https://api.hackerone.com/v1/reports/77/structured_scope" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": "57"
}
}
}
EOD
Example response (200 OK)
{
"id": "77",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2019-08-20T14:26:19.286Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
"first_program_activity_at": "2019-08-20T14:26:20.531Z",
"last_program_activity_at": "2019-08-20T15:25:56.627Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": "2019-08-20T15:25:56.627Z",
"last_activity_at": "2019-08-20T15:25:56.627Z",
"cve_ids": [],
"source": null
},
"relationships": {
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
}
}
}
Changing the structured scope of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
HTTP Request
PUT https://api.hackerone.com/v1/reports/{id}/structured_scope
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to change the structured scope of a report. | Yes | Object | |
| data/type | report-structured-scope | Yes | String | |
| data/attributes | Yes | Object | ||
| data/attributes/structured_scope_id | The new structured scope that will be set on the report. | Yes | Integer |
Update Weakness
Update the weakness of a report
curl "https://api.hackerone.com/v1/reports/129329/weakness" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": "123"
}
}
}
EOD
Example response (200 OK)
{
"id": "77",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2019-08-20T14:26:19.286Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
"first_program_activity_at": "2019-08-20T14:26:20.531Z",
"last_program_activity_at": "2019-08-20T15:25:56.627Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": "2019-08-20T15:25:56.627Z",
"last_activity_at": "2019-08-20T15:25:56.627Z",
"cve_ids": [],
"source": null
},
"relationships": {
"weakness": {
"data": {
"id": "77",
"type": "weakness",
"attributes": {
"name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
"description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
"external_id": "cwe-350",
"created_at": "2019-07-12T08:36:13.646Z"
}
}
}
}
}
Changing the weakness of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
HTTP Request
PUT https://api.hackerone.com/v1/reports/{id}/weakness
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to change the weakness of a report. | Yes | Object | |
| data/type | report-weakness | Yes | String | |
| data/attributes | Yes | Object | ||
| data/attributes/weakness_id | The new weakness that will be set on the report. | Yes | Integer |
Update Severity
Create severity
curl "https://api.hackerone.com/v1/reports/172932/severities" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"attributes": {
"rating": "high",
"attack_complexity": "",
"attack_vector": "",
"availability": "",
"confidentiality": "",
"integrity": "",
"privileges_required": "",
"scope": "",
"user_interaction": ""
}
}
}
EOD
Example response (200 OK)
{
"data": {
"id": "2057",
"type": "severity",
"attributes": {
"rating": "high",
"created_at": "2017-08-22T15:09:44.176Z"
}
}
}
You can use this endpoint to create / update the severity of the provided report. If the report already has a severity, a new one will be created and used as the current severity.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/severities
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information required to create a severity | Yes | Object | |
| data/attributes | Yes | Object | ||
| data/attributes/rating | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. | none low medium high critical |
No | String |
| data/attributes/score | The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). Only present if CVSS metrics were provided. | No | Number | |
| data/attributes/attack_vector | A CVSS metric that reflects the context by which vulnerability exploitation is possible. | network adjacent local physical |
No | String |
| data/attributes/attack_complexity | A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. | low high |
No | String |
| data/attributes/privileges_required | A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. | none low high |
No | String |
| data/attributes/user_interaction | A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component. | none required |
No | String |
| data/attributes/scope | A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component. | uncharged charged |
No | String |
| data/attributes/confidentiality | A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. | none low high |
No | String |
| data/attributes/integrity | A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability. | none low high |
No | String |
| data/attributes/availability | A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability. | none low high |
No | String |
Update Assignee
Assign a user
curl "https://api.hackerone.com/v1/reports/129329/assignee" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"id": 1337,
"type": "user",
"attributes": {
"message": "@member Please check this out!"
}
}
}
EOD
Example response (200 OK)
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7.0,
"impact": 30.0
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": [
]
},
"attachments": {
"data": [
]
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"activities": {
"data": [
{
"id": "1337",
"type": "activity-user-assigned-to-bug",
"attributes": {
"message": "@member Please check this out!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": true
},
"relationships": {
"actor": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api_example_company",
"name": null,
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assigned_user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": [
]
},
"summaries": {
"data": [
]
}
}
}
A user or group can be assigned to a report with this endpoint. An optional message can be specified, which will be posted as internal comment to the report subscribers. Only users and groups that are part of the program can be assigned. It is not possible to assign API users to a report.
When assigning a single user to a report, that user will be automatically subscribed to the report. In case a group is assigned to a report, all users that are part of that group are subscribed to the report. Subscribers will receive a notification that the report was assigned.
In case the request was successful, the API will respond with the updated report object.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
PUT https://api.hackerone.com/v1/reports/{id}/assignee
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information to assign a user or group object to the report, or to clear the assignee of a report. | Yes | Object |
| data/id | The ID of the user or group. Required unless the type is 'nobody' | No | Integer |
| data/type | Specifies whether a user or group should be assigned, or if the assignee should be cleared. Possible values: user group nobody |
Yes | String |
| data/attributes | No | Object | |
| data/attributes/message | The message that will be posted to the assigned user or group. | No | String |
Update Reference
Add a reference to a report
curl "https://api.hackerone.com/v1/reports/77/issue_tracker_reference_id" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "issue-tracker-reference-id",
"attributes": {
"reference": "T7413",
"message": "Reference Id Added!"
}
}
}
EOD
Example response (200 OK)
{
"relationships": {
"id": "77",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2019-08-20T14:26:19.286Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
"first_program_activity_at": "2019-08-20T14:26:20.531Z",
"last_program_activity_at": "2019-08-20T15:25:56.627Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": "2019-08-20T15:25:56.627Z",
"last_activity_at": "2019-08-20T15:25:56.627Z",
"cve_ids": [],
"source": null
},
"relationships": {
"activities": {
"data": [
{
"type": "activity-reference-id-added",
"id": "<id>",
"attributes": {
"message": "Reference Id Added!",
"created_at": "<date>",
"updated_at": "<date>",
"internal": true,
"reference": "T7413",
"reference_url": "https://example.com/T7413"
},
"relationships": {
"actor": {
"data": {
"id": "<id>",
"type": "user",
"attributes": {
"username": "api_user",
"name": null,
"disabled": false,
"created_at": "2019-10-14T13:59:49.563Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
}
}
}
]
}
}
}
}
This API endpoint allows the user to set a reference to an external issue tracker.
A report can only hold one active reference at the same time. However, a log of previously added references can be found in the activities relationship on a report object. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
To begin setting up the integration with your issue tracker, check out the Integrations tab under your Program settings on HackerOne.com.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/issue_tracker_reference_id
URI Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information to update the reference of a report. | Yes | Object |
| data/type | Possible values: issue-tracker-reference-id | Yes | String |
| data/attributes | Yes | Object | |
| data/attributes/reference | The unique reference in the issue tracker. | Yes | String |
| data/attributes/message | The message that will be posted. | No | String |
Redact
Redact a report
curl "https://api.hackerone.com/v1/reports/129329/redact" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "report-title",
"attributes": {
"string_to_redact": "IP address: 127.0.0.1"
}
}
}
EOD
Example response (200 OK)
{
"id": "79",
"type": "report",
"attributes": {
"title": "CSRF on ████",
"state": "resolved",
"created_at": "2019-09-10T08:06:00.787Z",
"vulnerability_information": "Vulnerability detected on ██████████ ...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"cve_ids": [],
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "487",
"type": "program",
"attributes": {
"handle": "security",
"policy": "...",
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2019-10-16T12:23:48.295Z"
}
}
}
}
}
Reports can be redacted through this endpoint. It can be useful to programmatically batch update received reports in HackerOne. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
PUT https://api.hackerone.com/v1/reports/{id}/redact
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information to redact a report. | Yes | Object |
| data/type | Possible values: report-redact | Yes | String |
| data/attributes | Yes | Object | |
| data/attributes/string_to_redact | The string to redact from the report. | Yes | String |
Change State
Mark a report as resolved
curl "https://api.hackerone.com/v1/reports/129329/state_changes" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "state-change",
"attributes": {
"message": "This vulnerability has been resolved. Thanks!",
"state": "resolved"
}
}
}
EOD
Changing the state of a report can be done through this endpoint. Closing a report as resolved will automatically recognize the finder in the program's hall of fame and reputation will be given. If a report is closed as N/A, informative, or spam, reputation will be deducted from the finder's track record.
There are currently one feature missing in the state change API: the ability to invite the finder of the duplicate to the original report. This feature will be implemented in a future version of the API.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/state_changes
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to change the state of a report. | Yes | Object | |
| data/type | state-change | Yes | String | |
| data/attributes | Yes | Object | ||
| data/attributes/message | The message that will be posted. Required when the new state is needs-more-info, informative, or duplicate. |
No | String | |
| data/attributes/state | The state the report needs to be moved to. | new triaged needs-more-info resolved not-applicable informative duplicate spam |
Yes | String |
| data/attributes/original_report_id | The ID of the report to use as the original report. Only available when closing the report as duplicate. | No | Integer |
Create Comment
Post a public comment
curl "https://api.hackerone.com/v1/reports/129329/activities" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "activity-comment",
"attributes": {
"message": "A fix has been deployed. Can you retest, please?",
"internal": false
}
}
}
EOD
Example response (200 OK)
{
"data": {
"id": "1337",
"type": "activity-comment",
"attributes": {
"message": "A fix has been deployed. Can you retest, please?",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
Both public and internal comments can be posted with this endpoint. Comments require a message before they will be posted. If a public comment is posted, any user that is subscribed to the report will receive a notification of the created comment. For internal comments, only people that are managing the program who are subscribed the report will receive a notification.
Required permission: Report Management for posting public comments. Posting internal comments do not require any additional permissions. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/activities
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to create a comment object for the report. | Yes | Object | |
| data/type | Type of activity. | activity-comment | Yes | String |
| data/attributes | Yes | Object | ||
| data/attributes/message | The message that will be posted. | Yes | String | |
| data/attributes/internal | A boolean that indicates whether the comment should be internal or public. Internal comments are only viewable by the users that manage the program. Public comments are viewable by everyone, including the person that submitted the report. | Yes | Boolean |
Close Comments
Lock a report
curl "https://api.hackerone.com/v1/reports/129329/close_comments" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "activity-comments-closed"
}
}
EOD
Example response (200 OK)
{
"id": "1337",
"type": "activity-comments-closed",
"attributes": {
"message": "Comments Closed!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
A report can only be locked once. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform or reported to other teams.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
PUT https://api.hackerone.com/v1/reports/{id}/close_comments
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to lock the report. | Yes | Object | |
| data/type | activity-comments-closed | Yes | String |
Add Summary
This API endpoint allows the user to create a report summary for reports that are received by teams that the user is part of.
Create report summary
curl "https://api.hackerone.com/v1/reports/129329/summaries" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "report-summary",
"attributes": {
"content": "There was a cross-site scripting vulnerability in our login form."
}
}
}
EOD
Example response (200 OK)
{
"id": "1337",
"type": "report-summary",
"attributes": {
"content": "There was a cross-site scripting vulnerability in our login form.",
"category": "team",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
A team can only include a single report summary. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform or reported to other teams.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/summaries
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information necessary to create a report summary. | Yes | Object | |
| data/type | report-summary | Yes | String | |
| data/attributes | Yes | Object | ||
| data/attributes/content | The content of the to be created report summary. | Yes | String |
Award Bounty
Create a bounty
curl "https://api.hackerone.com/v1/reports/172932/bounties" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"message": "Thanks for the great report. Here's your bounty!",
"amount": "500",
"bonus_amount": "250"
}
}
EOD
Example response (200 OK)
{
"data": {
"id": "58549",
"type": "bounty",
"attributes": {
"amount": "1330.00",
"bonus_amount": "7.00",
"awarded_amount": "1330.00",
"awarded_bonus_amount": "7.00",
"awarded_currency": "USD",
"created_at": "2017-08-22T15:03:46.183Z"
}
}
}
You can use this endpoint to award bounties to the reporter of the provided report.
Required permission: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
In addition, your program needs to be able to award bounties and the report needs to be eligible for bounties. If either case is false, the call will result in a 403 Forbidden response.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/bounties
URI Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information required to create a bounty. | Yes | Object |
| data/message | The public message posted on the report. Always required. | Yes | String |
| data/amount | The bounty award to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number, and, when provided, must be equal to or greater than your minimum bounty. | No | Number |
| data/bonus_amount | The bonus amount to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number. | No | Number |
Get Bounty Suggestions
Query bounty suggestions for a report
curl "https://api.hackerone.com/v1/reports/79/bounty_suggestions" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"type": "activity-bounty-suggested",
"id": "1946481",
"attributes": {
"message": "This report is great, I think we should award a high bounty.",
"created_at": "2019-09-22T15:10:02.699Z",
"updated_at": "2019-09-22T15:10:02.699Z",
"internal": true,
"bounty_amount": "300.00",
"bonus_amount": "0.00"
},
"relationships": {
"actor": {
"data": {
"type": "user",
"id": "193855",
"attributes": {
"username": "sjors",
"name": null,
"disabled": false,
"created_at": "2019-09-22T13:18:29.084Z",
"profile_picture": {
"62x62": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
"82x82": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
"110x110": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
"260x260": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"
}
}
}
}
}
}
]
}
This API endpoint allows a user to retrieve a list of report's bounty suggestions.
HTTP Request
GET https://api.hackerone.com/v1/reports/{id}/bounty_suggestions
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Add Bounty Suggestion
Create a bounty suggestion
curl "https://api.hackerone.com/v1/reports/172932/bounty_suggestions" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"message": "This report is great, I think we should award a high bounty",
"amount": "5000",
"bonus_amount": "2500"
}
}
EOD
Example response (200 OK)
{
"data": {
"type": "activity-bounty-suggested",
"id": "1946481",
"attributes": {
"message": "This report is great, I think we should award a high bounty.",
"created_at": "2017-08-22T15:10:02.699Z",
"updated_at": "2017-08-22T15:10:02.699Z",
"internal": true,
"bounty_amount": "5,000",
"bonus_amount": "2,500"
},
"relationships": {
"actor": {
"data": {
"type": "user",
"id": "193855",
"attributes": {
"username": "sjors",
"name": null,
"disabled": false,
"created_at": "2017-08-22T13:18:29.084Z",
"profile_picture": {
"62x62": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
"82x82": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
"110x110": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png",
"260x260": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"
}
}
}
}
}
}
}
You can use this endpoint to suggest bounties to the provided report.
Required permission: Reward Management OR Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/bounty_suggestions
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information required to create a bounty suggestion. | Yes | Object |
| data/message | The internal message posted on the report. Always required. Only readable by team members. | Yes | String |
| data/amount | The suggested bounty award to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number, and, when provided, must be equal to or greater than your minimum bounty. | No | Number |
| data/bonus_amount | The suggested bonus amount to award to the reporter. Only one of amount or bonus amount is required. Must be a positive number. | No | Number |
Award Swag
Award swag
curl "https://api.hackerone.com/v1/reports/172932/swags" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"message": "This is the 5th report we received from you. We'd like to send you a shirt and some stickers as a small thank-you!"
}
}
EOD
Example response (200 OK)
{
"data": {
"id": "2057",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2017-08-22T15:09:44.176Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "W_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
}
You can use this endpoint to award swag to the reporter of the provided report.
Required permission: Reward Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/swags
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information required to award swag. | Yes | Object |
| data/message | The public message posted on the report. Always required. | Yes | String |
Mark as Ineligible for Bounty
Mark a report as ineligible for bounty.
curl "https://api.hackerone.com/v1/reports/2/ineligible_for_bounty" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "report-ineligible-for-bounty",
"attributes": {}
}
}
EOD
Example response (200 OK)
{
"id": "77",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2019-08-20T14:26:19.286Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
"first_program_activity_at": "2019-08-20T14:26:20.531Z",
"last_program_activity_at": "2019-08-20T15:25:56.627Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": "2019-08-20T15:25:56.627Z",
"last_activity_at": "2019-08-20T15:25:56.627Z",
"cve_ids": [],
"source": null
},
"relationships": {
"weakness": {
"data": {
"id": "77",
"type": "weakness",
"attributes": {
"name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
"description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
"external_id": "cwe-350",
"created_at": "2019-07-12T08:36:13.646Z"
}
}
}
}
}
Marking a report as ineligible for bounty through the HackerOne API can be useful to programatically batch update received reports in HackerOne.
Marking a report as ineligible for bounty can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to mark a report as ineligible for bounty. | Yes | Object | |
| data/type | report-ineligible-for-bounty | Yes | String |
Manage Custom Field Values
Create Custom Field Value
curl "https://api.hackerone.com/v1/reports/172932/custom_field_values" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"attributes": {
"custom_field_attribute_id": "1",
"value": "Dark Matter"
}
}
}
EOD
Example response (200 OK)
{
"data": [
{
"id": "1",
"type": "custom-field-value",
"attributes": {
"value": "Dark Matter",
"created_at": "2019-04-24T22:21:50.328Z",
"updated_at": "2019-04-24T22:21:50.328Z"
},
"relationships": {
"custom_field_attribute": {
"data": {
"id": "1",
"type": "custom-field-attribute",
"attributes": {
"label": "Product Squad",
"configuration": null,
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2013-01-01T00:00:00.000Z",
"archived_at": null
}
}
}
}
}
]
}
You can use this endpoint to create / update the Custom Field Values of the provided report. If the report already has a value for the provided Custom Field Attribute ID, the value will be replaced. To get a list of existing Custom Field Attributes, see program. This feature is only available to select programs at this time.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/custom_field_values
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information required to create a Custom Field Value. | Yes | Object |
| data/attributes/custom_field_attribute_id | The Custom Field Attribute ID for which a value needs to be set. A complete list of available Custom Field Attribute IDs is exposed on the Program object. | Yes | Integer |
| data/attributes/value | The value that needs to be set for the given Custom Field Attribute. Leave empty to remove a Custom Field Attribute from a Report. | No | String |
Manage Disclosure Request
This resource allows you to create or cancel the disclosure request for the report.
Required permission: Report Management You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Create Disclosure Request
Create a disclosure request for the provided report.
curl "https://api.hackerone.com/v1/reports/172932/disclosure_requests" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"attributes": {
"substate": "full",
"message": "Go public"
}
}
}
EOD
Example response (200 OK)
{
"data": {
"id": "1337",
"type": "activity-agreed-on-going-public",
"attributes": {
"message": "Agreed On Going Public!",
"created_at": "2019-02-02T04:05:06.000Z",
"updated_at": "2019-02-02T04:05:06.000Z",
"internal": false,
"disclosed_at": "2019-02-02T15:26:47.000Z"
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2019-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
The program can request disclosure for any closed report.
You can use this endpoint to create the disclosure request for the report which will result in:
the agreement to disclose the report if the reporter has already requested the disclosure. The contents of the report will be made public instantly. The time when the report was disclosed will be returned in the 'disclosed_at' attribute.
the disclosure request if the reporter hasn't requested the disclosure yet. If the reporter doesn't either approve or deny disclosure request from the program, the contents of the report will be auto-disclosed within 30 days. The 'allow_singular_disclosure_at' attribute value will show when the report will be disclosed.
HTTP Request
POST https://api.hackerone.com/v1/reports/{id}/disclosure_requests
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information about disclosure request. | Yes | Object | |
| data/attributes | Yes | Object | ||
| data/attributes/substate | Select whether you want to disclose the full report ("full") or a limited version ("no-content"). Possible values: full no-content |
Yes | String | |
| data/attributes/message | Additional information | No | String |
Cancel Disclosure Request
Cancel the report's disclosure request.
curl "https://api.hackerone.com/v1/reports/172932/disclosure_requests" \
-X DELETE \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"attributes": {
"message": "Cancel disclosure"
}
}
}
EOD
Example response (200 OK)
{
"data": {
"type": "activity-cancelled-disclosure-request",
"id": "516",
"attributes": {
"message": "Cancel disclosure 1",
"created_at": "2019-10-23T13:35:35.616Z",
"updated_at": "2019-10-23T13:35:35.616Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "106",
"type": "user",
"attributes": {
"username": "api_user",
"name": null,
"disabled": false,
"created_at": "2019-10-14T13:59:49.563Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
}
}
}
}
The program can cancel the disclosure request for the provided report.
HTTP Request
DELETE https://api.hackerone.com/v1/reports/{id}/disclosure_requests
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the report. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information about disclosure request. | Yes | Object | |
| data/attributes | Yes | Object | ||
| data/attributes/message | Additional information | No | String |
Activities
This endpoint allows you to fetch all activities of your program incrementally by time.
This feature has multiple usages:
- Detecting a new report or a new activity on a report using a single endpoint.
- Being able to take actions on reports based on user activity. For example, automatically assigning a report after triaging.
- Monitoring activities on program.
The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.
Query Activities
Read the activities of a team
curl "https://api.hackerone.com/v1/incremental/activities?handle=acme&page[size]=1" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"type": "activity-bug-filed",
"id": "1337",
"attributes": {
"report_id": "99900",
"message": "",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2017-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"type": "user",
"id": "7331",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
],
"meta": {
"max_updated_at": "2017-02-02T04:05:06.000Z"
},
"links": {
"self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
"next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
}
}
Note, the request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.
HTTP Request
GET /incremental/activities/
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| handle | The HackerOne handle of the program whose activities you wish to retrieve. | Yes | String |
| updated_at_after | A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. | No | DateTime |
| page | This parameter can be used to specify the page number and size the client wants to query. | No | Object |
| page[number] | The page to retrieve. | No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 | No | Integer |
Programs
The next section will give an overview of what a Program object looks like. The sections after that will show the endpoints that have been implemented for this resource. To find the ID of your program, you can use the Get Your Programs endpoint.
Get Program
Read a program
curl "https://api.hackerone.com/v1/programs/11000" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"policy": "Policy definition",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"groups": {
"data": [
{
"id": "2557",
"type": "group",
"attributes": {
"name": "Standard",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"report_management",
"reward_management"
]
}
},
{
"id": "2558",
"type": "group",
"attributes": {
"name": "Admin",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"user_management",
"program_management"
]
}
}
]
},
"custom_field_attributes": {
"data": [
{
"id": "1337",
"type": "custom-field-attribute",
"attributes": {
"label": "Team",
"configuration": null,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"archived_at": null
}
}
]
},
"members": {
"data": [
{
"id": "1339",
"type": "member",
"attributes": {
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"program_management",
"report_management",
"reward_management",
"user_management"
],
"groups": [
{
"id": "2558",
"name": "Admin"
},
{
"id": "2557",
"name": "Standard"
}
]
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"policy_attachments": {
"data": [
{
"id": "<id>",
"type": "attachment",
"attributes": {
"expiring_url": "<url>",
"created_at": "<date>",
"file_name": "logo.png",
"content_type": "image/png",
"file_size": 3650
}
}
]
}
}
}
}
A program object can be fetched by sending a GET request to a unique program object. When the request is successful, the API will respond with a program object.
The following program relationships are included: groups, members, custom field attributes and policy attachments.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. You can find the program ID by fetching your programs. |
Yes | Integer |
Update Policy
Update the policy of a program
curl "https://api.hackerone.com/v1/programs/3774/policy" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "program-policy",
"attributes": {
"policy": "..."
}
}
}
EOD
Example response (200 OK)
{
"data": {
"id": "3774",
"type": "program",
"attributes": {
"handle": "acme",
"policy": "...",
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2019-08-26T13:53:24.807Z"
}
}
}
Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
HTTP Request
PUT https://api.hackerone.com/v1/programs/{id}/policy
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to update the policy of a program. | Yes | Object | |
| data/type | program-policy | Yes | String | |
| data/attributes | Yes | Object | ||
| data/attributes/policy | The new policy that will be set on the program. | Yes | String |
Upload Policy Attachment
Upload an attachment for program policy
curl "https://api.hackerone.com/v1/programs/3774/policy_attachments" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-F "file=@/tmp/example.png"
EOD
Example response (200 OK)
{
"data": {
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "https://attachments.s3.amazonaws.com/G74PuDP6qdEdN2rpKNLkVwZF",
"created_at": "2019-10-30T04:05:06.000Z",
"file_name": "example.png",
"content_type": "image/png",
"file_size": 16115
}
}
}
Policy attachments can be uploaded by sending a POST request to the program policy attachments endpoint. When the API call is successful, an attachment object will be returned.
You can use the attachment ID to display the attachment on your policy page.
For example, if the attachment ID is 1337, then include {F1337} in your
policy to display the attachment.
Required permission: Program Management for uploading policy attachments. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
HTTP Request
POST https://api.hackerone.com/v1/programs/{id}/policy_attachments
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| file | Full path to a local file. | Yes | File |
Award Bounty
Create a bounty for a program
curl "https://api.hackerone.com/v1/programs/11000/bounties" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "bounty",
"attributes": {
"amount": 100,
"reference": "JIRA1239",
"title": "Reflected XSS on marketing.example.com",
"recipient": "hacker@hackerone.com",
"currency": "USD",
"severity_rating": "high"
}
}
}
EOD
Example response (200 OK)
{
"data": {
"id": "1",
"type": "bounty",
"attributes": {
"amount": "100.00",
"bonus_amount": "0.00",
"awarded_amount": "100.00",
"awarded_bonus_amount": "0.00",
"awarded_currency": "USD",
"created_at": "2017-02-14T23:07:24.252Z",
"invitations": [
{
"id": "10",
"recipient": "hacker@hackerone.com",
"claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
}
]
}
}
}
To award a bounty, this API endpoint can be used. When the API call is successful, a bounty object will be returned.
Required permission: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
POST https://api.hackerone.com/v1/programs/{id}/bounties
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Request Body
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information required to create a bounty. | Yes | Object |
| data/type | Possible values: bounty | Yes | Object |
| data/attributes/recipient | The email address of the recipient. When the email address is provided, an email will be sent to the recipient to claim the bounty. When the email address is not provided, you can use the claim URL in the response to notify the recipient yourself. When the user does not have an account yet with HackerOne, it'll be onboarded before it can claim the reward. Users that already have an account, will benefit from collecting the payout easily through HackerOne and get additional reputation points to showcase on their HackerOne profile. | No | String |
| data/attributes/amount | The amount that should be awarded. | Yes | Number |
| data/attributes/reference | An internal reference attached to the report that makes searching or filtering in the future easy. | Yes | String |
| data/attributes/title | The title of the security vulnerability that was reported to you. | Yes | String |
| data/attributes/currency | Possible values: USD | Yes | String |
| data/attributes/severity_rating | The severity rating of the security vulnerability that was reported to you. Possible values: none low medium high critical |
No | String |
Get Awarded Swag
Query swag of the program
curl "https://api.hackerone.com/v1/programs/16789/swag?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
},
{
"id": "7",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2019-08-20T03:47:04.163Z"
},
"relationships": {
"user": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "johndoe",
"name": "John Doe",
"disabled": false,
"created_at": "2017-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "John Smith",
"street": "535 Mission Street",
"city": "New York",
"postal_code": "10001",
"state": "NY",
"country": "United States of America",
"created_at": "2017-01-03T07:08:09.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-212-000-0000"
}
}
}
}
}
],
"links": {
}
}
Awarded swag can be fetched by sending a GET request to the swag endpoint. When the request is successful, the API will respond with paginated swag objects.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}/swag
URI Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | The ID of the program. | Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| page | This parameter can be used to specify the page number and size the client wants to query. | No | Object |
| page[number] | The page to retrieve. | No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 | No | Integer |
Mark Swag as Sent
Mark swag as sent
curl "https://api.hackerone.com/v1/programs/12/swag/8" \
-X PUT \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "swag",
"attributes": {
"sent": true
}
}
}
EOD
Example response (200 OK)
{
"data": {
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
}
The status of swag can be updated to "sent" through this endpoint. When the request is successful, the API will respond with a swag object.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
GET https://api.hackerone.com/v1/programs/programs/{program_id}/swag/{id}
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| program_id | The ID of the program. | Yes | Integer |
| id | The ID of the swag. | Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| data | This object contains the information to change the status of swag. | Yes | Object |
| data/type | Possible values: swag | Yes | String |
| data/attributes | Yes | Object | |
| data/attributes/sent | Possible values: true | Yes | Boolean |
Get Reporters
Query reporters for a program
curl "https://api.hackerone.com/v1/programs/11000/reporters" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"id": "1337",
"type": "user",
"attributes": {
"username": "awesome-hacker",
"name": "Awesome Hacker",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
],
"links": {
}
}
This resource allows you to retrieve a list of all users that ever submitted a report to the program.
Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}/reporters
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| page | This parameter can be used to specify the page number and size the client wants to query. | No | Object |
| page[number] | The page to retrieve. | No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 | No | Integer |
Manage Structured Scopes
This resource allows you to retrieve a list of all assets of the program. You can create, update and archive your existing structured scopes.
Query Structured Scopes
Query structured scopes for a program
curl "https://api.hackerone.com/v1/programs/16789/structured_scopes?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
},
{
"id": "58",
"type": "structured-scope",
"attributes": {
"asset_identifier": "www.example.com",
"asset_type": "url",
"confidentiality_requirement": "low",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2017-02-03T04:05:10.000Z",
"updated_at": "2018-05-02T04:05:10.000Z",
"instruction": "Instruction text",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001002"
}
}
],
"links": {
}
}
Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scopes.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}/structured_scopes
URI Parameters
| Name | Located in | Description | Required | Type |
|---|---|---|---|---|
| id | path | The ID of the program. You can find the program ID by fetching your programs. |
Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| page | This parameter can be used to specify the page number and size the client wants to query. | No | Object |
| page[number] | The page to retrieve. | No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 | No | Integer |
Add Structured Scope
Create a structured scope for a program
curl "https://api.hackerone.com/v1/programs/1557/structured_scopes" \
-X POST \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
}
EOD
Example response (200 OK)
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
This API endpoint can be used to add an asset to a program. When the API request is successful, a structured-scope object will be returned. Please refer to our platform documentation to get more information on the different asset types.
HTTP Request
POST https://api.hackerone.com/v1/programs/{id}/structured_scopes
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. You can find the program ID by fetching your programs. |
Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to create a structured scope. | Yes | Object | |
| data/type | structured-scope | Yes | String | |
| data/attributes | Yes | Object | ||
| data/attributes/asset_identifier | The identifier of the asset. | Yes | String | |
| data/attributes/asset_type | The type of the asset. | CIDR URL APPLE_STORE_APP_ID TESTFLIGHT OTHER_IPA GOOGLE_PLAY_APP_ID OTHER_APK WINDOWS_APP_STORE_APP_ID SOURCE_CODE DOWNLOADABLE_EXECUTABLES HARDWARE OTHER |
Yes | String |
| data/attributes/eligible_for_bounty | If the asset is eligible for bounty. | No | Boolean | |
| data/attributes/eligible_for_submission | If the asset is eligible for submission. | No | Boolean | |
| data/attributes/instruction | The raw intruction of the asset provided by the program. Markdown is not parsed. | No | String | |
| data/attributes/confidentiality_requirement | A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. | none low medium high |
No | String |
| data/attributes/integrity_requirement | A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. | none low medium high |
No | String |
| data/attributes/availability_requirement | A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. | none low medium high |
No | String |
| data/attributes/max_severity | The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). | none low medium high critical |
No | String |
| data/attributes/reference | The customer defined reference identifier or tag of the asset. | No | String |
Update Structured Scope
Update a structured scope of a program
curl "https://api.hackerone.com/v1/programs/1557/structured_scopes/84" \
-X PATCH \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
-H "Content-Type: application/json" \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
}
EOD
Example response (200 OK)
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
This API endpoint can be used to update an asset of a program. When the API request is successful, a structured-scope object will be returned.
HTTP Request
PATCH https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| program_id | The ID of the program. You can find the program ID by fetching your programs. |
Yes | Integer |
| id | The ID of the structured scope. | Yes | Integer |
Request Body
| Name | Description | Possible Values | Required | Type |
|---|---|---|---|---|
| data | This object contains the information to update a structured scope. | Yes | Object | |
| data/type | structured-scope | Yes | String | |
| data/attributes | Yes | Object | ||
| data/attributes/asset_identifier | The identifier of the asset. | Yes | String | |
| data/attributes/eligible_for_bounty | If the asset is eligible for bounty. | No | Boolean | |
| data/attributes/eligible_for_submission | If the asset is eligible for submission. | No | Boolean | |
| data/attributes/instruction | The raw intruction of the asset provided by the program. Markdown is not parsed. | No | String | |
| data/attributes/confidentiality_requirement | A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. | none low medium high |
No | String |
| data/attributes/integrity_requirement | A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. | none low medium high |
No | String |
| data/attributes/availability_requirement | A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. | none low medium high |
No | String |
| data/attributes/max_severity | The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). | none low medium high critical |
No | String |
| data/attributes/reference | The customer defined reference identifier or tag of the asset. | No | String |
Archive Structured Scope
Archive a structured scope of a program
curl "https://api.hackerone.com/v1/programs/1557/structured_scopes/84" \
-X DELETE \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
This API endpoint can be used to archive an asset of a program. When the API request is successful, a structured-scope object will be returned.
HTTP Request
DELETE https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| program_id | The ID of the program. You can find the program ID by fetching your programs. |
Yes | Integer |
| id | The ID of the structured scope. | Yes | Integer |
Get Weaknesses
This resource allows you to retrieve a list of all weaknesses of the program.
Query weaknesses for a program
curl "https://api.hackerone.com/v1/programs/16789/weaknesses?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example Response (200 OK)
{
"data": [
{
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"created_at": "2016-02-02T04:05:06.000Z",
"external_id": "cwe-352"
}
},
{
"id": "1338",
"type": "weakness",
"attributes": {
"name": "SQL Injection",
"description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
"created_at": "2016-03-02T04:05:06.000Z",
"external_id": "cwe-89"
}
}
],
"links": {
}
}
Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}/weaknesses
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| page | This parameter can be used to specify the page number and size the client wants to query. | No | Object |
| page[number] | The page to retrieve. | No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 | No | Integer |
Get Thanks to Hackers
This resource allows you to view customer's thanks to hackers.
Query thanks for a program
curl "https://api.hackerone.com/v1/programs/16789/thanks?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"type": "thanks_item",
"attributes": {
"total_report_count": 1,
"reputation": 7,
"recognized_report_count": 1,
"username": "lorem",
"user_id": "55"
}
},
{
"type": "thanks_item",
"attributes": {
"total_report_count": 1,
"reputation": 22,
"recognized_report_count": 1,
"username": "ipsum",
"user_id": "13"
}
},
{
"type": "thanks_item",
"attributes": {
"total_report_count": 5,
"reputation": 38,
"recognized_report_count": 3,
"username": "hacker",
"user_id": "24"
}
}
],
"links": {}
}
Customers thanks items can be fetched by sending a GET request to the thanks endpoint. When the request is successful, the API will respond with paginated thanks items objects.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}/thanks
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| page | This parameter can be used to specify the page number and size the client wants to query. | No | Object |
| page[number] | The page to retrieve. | No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 | No | Integer |
Get Common Responses
Query common responses for a program
curl "https://api.hackerone.com/v1/programs/15567/common_responses?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"id": "108878",
"attributes": {
"title": "Vulnerability Scanner False Positive",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
}
},
{
"id": "108886",
"attributes": {
"title": "X-XSS-Protection",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
}
},
{
"id": "108891",
"attributes": {
"title": "Video Without Content",
"message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
}
}
],
"links": {
}
}
Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}/common_responses
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| page | This parameter can be used to specify the page number and size the client wants to query. | No | Object |
| page[number] | The page to retrieve. | No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 | No | Integer |
Get Audit Log
Query audit log for a program
curl "https://api.hackerone.com/v1/programs/15567/audit_log?page%5Bnumber%5D=1&page%5Bsize%5D=100" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"id": "1",
"type": "audit-log-item",
"attributes": {
"log": "\"@member\" invited \"someone@example.com\".",
"event": "invitations.team_members.create",
"source": "User#1",
"subject": "Invitation#1",
"created_at": "2019-05-15T04:05:06.000Z"
}
}
],
"links": {
}
}
Returns a paginated list of the audit log items of the provided program.
This API endpoint allows a user to consume all audit log items that have been created for a particular program.
Required permission: Program Management for consuming the audit log items. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Note: this feature is currently in beta and has not been enabled for all programs.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}/audit_log
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| page | This parameter can be used to specify the page number and size the client wants to query. | No | Object |
| page[number] | The page to retrieve. | No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 | No | Integer |
Get Your Programs
Query your programs
curl "https://api.hackerone.com/v1/me/programs" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2017-01-01T08:00:00.000Z",
"updated_at": "2017-02-17T04:34:15.910Z"
}
}
],
"links": {}
}
This API endpoint allows you to query the program objects that you are a member of. The groups and members relationships are not included in the response.
Use this API endpoint to query all program objects you are a member of.
HTTP Request
GET https://api.hackerone.com/v1/me/programs
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| handle | The HackerOne handle of the program whose activities you wish to retrieve. | Yes | String |
| updated_at_after | A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. | No | DateTime |
| page | This parameter can be used to specify the page number and size the client wants to query. | No | Object |
| page[number] | The page to retrieve. | No | Integer |
| page[size] | The number of objects per page; currently limited from 1 to 100. Default: 25 | No | Integer |
Get Balance
Query the current balance for a program
curl "https://api.hackerone.com/v1/programs/13/billing/balance" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": {
"balance": "12000.00"
}
}
This API endpoint allows a user to retrieve the current balance of the program.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}/billing/balance
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Get Payment Transactions
Query payment transactions for a program
curl "https://api.hackerone.com/v1/programs/13/billing/transactions?month=9&year=2019" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"data": [
{
"id": 10,
"activity_date": "2019-09-25T04:22:42.686Z",
"activity_description": "Bounty for report #9",
"bounty_award": "1000.00",
"bounty_fee": "200.00",
"debit_or_credit_amount": "-1200.00",
"balance": "-1200.00",
"report_id": 9,
"report_url": "http://hackerone.com/reports/9"
}
]
}
This API endpoint allows a user to retrieve a list of program's payment transactions for the selected period. When the request is successful, the API will respond with paginated payment transaction objects of the provided program.
Required permission: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
HTTP Request
GET https://api.hackerone.com/v1/programs/{id}/billing/transactions
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| id | The ID of the program. | Yes | Integer |
Query Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| month | The month of the transaction period. Default: the current month | No | Integer |
| year | The year of the transaction period. Default: the current year | No | Integer |
Users
Get User
Read a user
curl "https://api.hackerone.com/v1/users/fransrosen" \
-u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ="
Example response (200 OK)
{
"id": "1634",
"username": "fransrosen",
"name": "Frans Rosén",
"reputation": 1337,
"disabled": false,
"signal": 7.0,
"impact": 30.0,
"created_at": "2015-13-37T04:05:06.000Z",
"participating_programs": {
"data": [{
"id": "1337",
"type":"program",
"attributes": {
"handle": "security",
"created_at": "2014-13-37T04:05:06.000Z",
"updated_at": "2014-13-37T04:05:06.000Z"
}
}]
}
}
A user object can be fetched by providing the username of the given user. When the request is successful, the API will respond with a user object.
HTTP Request
GET https://api.hackerone.com/v1/users/{username}
URI Parameters
| Name | Description | Required | Type |
|---|---|---|---|
| username | The HackerOne username of the user. | Yes | String |