NAV Navbar
Shell Python Ruby Java Javascript Go

Core Resources

Activities

Query Activities

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/incremental/activities?handle=string" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/incremental/activities',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  params={
      'handle': 'string'
  },
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/incremental/activities',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/incremental/activities?handle=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/incremental/activities?handle=string',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/incremental/activities", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": [
    {
      "type": "activity-bug-filed",
      "id": "1337",
      "attributes": {
        "report_id": "99900",
        "message": "",
        "created_at": "2016-02-02T04:05:06.000Z",
        "updated_at": "2017-02-02T04:05:06.000Z",
        "internal": false
      },
      "relationships": {
        "actor": {
          "data": {
            "type": "user",
            "id": "7331",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        }
      }
    }
  ],
  "meta": {
    "max_updated_at": "2017-02-02T04:05:06.000Z"
  },
  "links": {
    "self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
    "next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
  }
}

GET /incremental/activities

This endpoint allows you to fetch all activities of your program incrementally by time.

This endpoint is used to:

The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.

Note: The request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.

Parameters

Name In Type Required Description
handle query string true The HackerOne handle of the program with activities you wish to retrieve.
updated_at_after query string false A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved.
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Programs

Get Your Programs

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/me/programs" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/me/programs',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/me/programs',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/me/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/me/programs',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/programs", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": [
    {
      "id": "1",
      "type": "program",
      "attributes": {
        "handle": "security",
        "created_at": "2017-01-01T08:00:00.000Z",
        "updated_at": "2017-02-17T04:34:15.910Z"
      }
    }
  ],
  "links": {}
}

GET /me/programs

This API endpoint allows you to query the program objects that you are a member of.

The groups and members relationships are not included in the response.

Parameters

Name In Type Required Description
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Get Audit Log

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/audit_log" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/audit_log',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/audit_log',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/audit_log");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/audit_log',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/audit_log", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": {
    "id": "1",
    "type": "audit-log-item",
    "attributes": {
      "log": "\"@member\" invited \"someone@example.com\".",
      "event": "invitations.team_members.create",
      "source": "User#1",
      "subject": "Invitation#1",
      "user_agent": "Chrome/11.0",
      "country": "US",
      "parameters": "{\"identifier\":\"jobert\"}",
      "created_at": "2019-05-15T04:05:06.000Z"
    }
  }
}

GET /programs/{id}/audit_log

Returns a paginated list of the audit log items of the provided program.

This API endpoint allows a user to view all audit log items that have been created for a particular program.

Required permissions: Program Management. You can view audit log items and manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Note: This feature is currently in beta and has not been enabled for all programs.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Get Your Programs Balance

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/balance" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/billing/balance',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/billing/balance',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/balance");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/billing/balance',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/balance", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": {
    "id": "1337",
    "type": "program-balance",
    "attributes": {
      "balance": "1500.00"
    }
  }
}

GET /programs/{id}/billing/balance

This API endpoint allows a user to retrieve the current balance for a particular program.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.

Get Payment Transactions

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/transactions" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/transactions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/billing/transactions',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/transactions", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": 10,
  "bounty_award": "1000.00",
  "bounty_fee": "200.00",
  "activity_date": "2019-09-25T04:22:42.686Z",
  "activity_description": "Bounty for report #9",
  "report_id": 9,
  "report_url": "http://hackerone.com/reports/9",
  "debit_or_credit_amount": "-1200.00",
  "balance": "-1200.00"
}

GET /programs/{id}/billing/transactions

This API endpoint enables a user to retrieve program's list of payment transactions for the selected month. When the request is successful, the API will respond with paginated payment transaction objects of the provided program.

If you want to get transactions for an entire year, you will need to request each month individually.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
month query integer false The month of the transaction period. The default is set to the current month.
year query integer false The year of the transaction period. The default is set to the current year.

Award Bounty

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/bounties" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "bounty",
    "attributes": {
      "recipient": "string",
      "amount": 0,
      "reference": "string",
      "title": "string",
      "currency": "USD",
      "severity_rating": "none"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "bounty",
    "attributes": {
      "recipient": "string",
      "amount": 0,
      "reference": "string",
      "title": "string",
      "currency": "USD",
      "severity_rating": "none"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/bounties',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "bounty",
    "attributes": {
      "recipient": "string",
      "amount": 0,
      "reference": "string",
      "title": "string",
      "currency": "USD",
      "severity_rating": "none"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/bounties',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"bounty\",\n    \"attributes\": {\n      \"recipient\": \"string\",\n      \"amount\": 0,\n      \"reference\": \"string\",\n      \"title\": \"string\",\n      \"currency\": \"USD\",\n      \"severity_rating\": \"none\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"bounty\",\n    \"attributes\": {\n      \"recipient\": \"string\",\n      \"amount\": 0,\n      \"reference\": \"string\",\n      \"title\": \"string\",\n      \"currency\": \"USD\",\n      \"severity_rating\": \"none\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/bounties',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"bounty\",\n    \"attributes\": {\n      \"recipient\": \"string\",\n      \"amount\": 0,\n      \"reference\": \"string\",\n      \"title\": \"string\",\n      \"currency\": \"USD\",\n      \"severity_rating\": \"none\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/bounties", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

201 Response

{
  "data": {
    "id": "1",
    "type": "bounty",
    "attributes": {
      "amount": "100.00",
      "bonus_amount": "0.00",
      "awarded_amount": "100.00",
      "awarded_bonus_amount": "0.00",
      "awarded_currency": "USD",
      "created_at": "2017-02-14T23:07:24.252Z",
      "relationships": {
        "report": {
          "data": {
            "id": "1337",
            "type": "report",
            "attributes": {
              "title": "XSS in login form",
              "state": "new",
              "created_at": "2016-02-02T04:05:06.000Z",
              "vulnerability_information": "...",
              "triaged_at": null,
              "closed_at": null,
              "last_reporter_activity_at": null,
              "first_program_activity_at": null,
              "last_program_activity_at": null,
              "bounty_awarded_at": null,
              "swag_awarded_at": null,
              "disclosed_at": null,
              "last_public_activity_at": null,
              "last_activity_at": null,
              "issue_tracker_reference_url": "https://example.com/reference",
              "cve_ids": [],
              "source": null,
              "reporter_agreed_on_going_public_at": null
            }
          }
        }
      },
      "invitations": [
        {
          "id": "10",
          "recipient": "hacker@hackerone.com",
          "claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
        }
      ]
    }
  }
}

POST /programs/{id}/bounties

Use this endpoint to award a bounty. When the API call is successful, a bounty object will be returned.

Required permissions: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
data body object true The information required to create a bounty.
» type body string true none
» attributes body object true none
»» recipient body string false The email address of the recipient.
»» amount body number true The bounty amount to be awarded.
»» reference body string true An internal reference attached to the report that makes searching or filtering in the future easy.
»» title body string true The title of the security vulnerability that was reported to you.
»» currency body string true none
»» severity_rating body severity-ratings false none

Detailed descriptions

»» recipient: The email address of the recipient.

When the email address is provided, an email will be sent to the recipient to claim the bounty. When the email address is not provided, you can use the claim URL in the response to notify the recipient yourself. When the user does not have an account yet with HackerOne, they'll be onboarded before they can claim the reward. Users that already have an account, will benefit from collecting the payout easily through HackerOne and will get additional reputation points to showcase on their HackerOne profile.

Enumerated Values

Parameter Value
» type bounty
»» currency USD
»» severity_rating none
»» severity_rating low
»» severity_rating medium
»» severity_rating high
»» severity_rating critical

Get Common Responses

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/common_responses" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/common_responses',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/common_responses',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/common_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/common_responses',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/common_responses", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": [
    {
      "id": "108878",
      "attributes": {
        "title": "Vulnerability Scanner False Positive",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
      }
    },
    {
      "id": "108886",
      "attributes": {
        "title": "X-XSS-Protection",
        "message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
      }
    },
    {
      "id": "108891",
      "attributes": {
        "title": "Video Without Content",
        "message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/common_responses

Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Upload Policy Attachments

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy_attachments" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy_attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/policy_attachments',
{
  method: 'POST',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/policy_attachments", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "attachment",
  "attributes": {
    "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
    "created_at": "2016-02-02T04:05:06.000Z",
    "file_name": "root.rb",
    "content_type": "text/x-ruby",
    "file_size": 2871
  }
}

POST /programs/{id}/policy_attachments

Policy attachments can be uploaded by sending a POST request to the program policy attachments endpoint. When the API call is successful, an attachment object will be returned.

You can use the attachment ID to display the attachment on your policy page. For example, if the attachment ID is 1337, then include {F1337} in your policy to display the attachment.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.

Update Policy

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "program-policy",
    "attributes": {
      "policy": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "program-policy",
    "attributes": {
      "policy": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{id}/policy',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "program-policy",
    "attributes": {
      "policy": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{id}/policy',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"program-policy\",\n    \"attributes\": {\n      \"policy\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"program-policy\",\n    \"attributes\": {\n      \"policy\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/policy',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"program-policy\",\n    \"attributes\": {\n      \"policy\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{id}/policy", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": {
    "id": "12",
    "type": "program",
    "attributes": {
      "handle": "security",
      "policy": "...",
      "created_at": "2013-01-01T00:00:00.000Z",
      "updated_at": "2019-08-26T13:53:24.807Z"
    }
  }
}

PUT /programs/{id}/policy

Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
data body object true The information to update the policy of a program.
» type body string true none
» attributes body object true none
»» policy body string true The new policy that will be set on the program.

Enumerated Values

Parameter Value
» type program-policy

Get Reporters

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/reporters" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/reporters',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/reporters',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/reporters',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/reporters", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": [
    {
      "id": "1337",
      "type": "user",
      "attributes": {
        "username": "awesome-hacker",
        "name": "Awesome Hacker",
        "disabled": false,
        "created_at": "2016-02-02T04:05:06.000Z",
        "profile_picture": {
          "62x62": "/assets/avatars/default.png",
          "82x82": "/assets/avatars/default.png",
          "110x110": "/assets/avatars/default.png",
          "260x260": "/assets/avatars/default.png"
        }
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/reporters

This resource allows you to retrieve a list of all users that ever submitted a report to the program.

Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Get Structured Scopes

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": [
    {
      "id": "57",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "api.example.com",
        "asset_type": "URL",
        "confidentiality_requirement": "high",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2015-02-02T04:05:06.000Z",
        "updated_at": "2016-05-02T04:05:06.000Z",
        "instruction": null,
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001001"
      }
    },
    {
      "id": "58",
      "type": "structured-scope",
      "attributes": {
        "asset_identifier": "www.example.com",
        "asset_type": "URL",
        "confidentiality_requirement": "low",
        "integrity_requirement": "high",
        "availability_requirement": "high",
        "max_severity": "critical",
        "created_at": "2017-02-03T04:05:10.000Z",
        "updated_at": "2018-05-02T04:05:10.000Z",
        "instruction": "Instruction text",
        "eligible_for_bounty": true,
        "eligible_for_submission": true,
        "reference": "H001002"
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/structured_scopes

Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scope objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program. You can find the program ID by fetching your programs.
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Add Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "asset_type": "CIDR",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "asset_type": "CIDR",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "asset_type": "CIDR",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"asset_type\": \"CIDR\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"asset_type\": \"CIDR\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"asset_type\": \"CIDR\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

201 Response

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "URL",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

POST /programs/{id}/structured_scopes

This endpoint can be used to add an asset to a program. When the API request is successful, a structured scope object will be returned. Please refer to our platform documentation to get more information on the different asset types.

Parameters

Name In Type Required Description
id path integer true The ID of the program. You can find the program ID by fetching your programs.
data body object true The information to create a structured scope.
» type body string true none
» attributes body object true none
»» asset_identifier body string true The identifier of the asset.
»» asset_type body string true The type of asset.
»» eligible_for_bounty body boolean false The eligibility of the asset for bounties.
»» eligible_for_submission body boolean false If the asset is eligible for submission.
»» instruction body string false The raw instruction of the asset provided by the program. Markdown is not parsed.
»» confidentiality_requirement body string false A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset.
»» integrity_requirement body string false A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset.
»» availability_requirement body string false A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset.
»» max_severity body severity-ratings false none
»» reference body string false The customer defined reference identifier or tag of the asset.

Enumerated Values

Parameter Value
» type structured-scope
»» asset_type CIDR
»» asset_type URL
»» asset_type APPLE_STORE_APP_ID
»» asset_type TESTFLIGHT
»» asset_type OTHER_IPA
»» asset_type GOOGLE_PLAY_APP_ID
»» asset_type OTHER_APK
»» asset_type WINDOWS_APP_STORE_APP_ID
»» asset_type SOURCE_CODE
»» asset_type DOWNLOADABLE_EXECUTABLES
»» asset_type HARDWARE
»» asset_type OTHER
»» confidentiality_requirement none
»» confidentiality_requirement low
»» confidentiality_requirement medium
»» confidentiality_requirement high
»» integrity_requirement none
»» integrity_requirement low
»» integrity_requirement medium
»» integrity_requirement high
»» availability_requirement none
»» availability_requirement low
»» availability_requirement medium
»» availability_requirement high
»» max_severity none
»» max_severity low
»» max_severity medium
»» max_severity high
»» max_severity critical

Update Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "structured-scope",
    "attributes": {
      "asset_identifier": "string",
      "eligible_for_bounty": true,
      "eligible_for_submission": true,
      "instruction": "string",
      "confidentiality_requirement": "none",
      "integrity_requirement": "none",
      "availability_requirement": "none",
      "max_severity": "none",
      "reference": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"structured-scope\",\n    \"attributes\": {\n      \"asset_identifier\": \"string\",\n      \"eligible_for_bounty\": true,\n      \"eligible_for_submission\": true,\n      \"instruction\": \"string\",\n      \"confidentiality_requirement\": \"none\",\n      \"integrity_requirement\": \"none\",\n      \"availability_requirement\": \"none\",\n      \"max_severity\": \"none\",\n      \"reference\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "URL",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

PUT /programs/{program_id}/structured_scopes/{id}

This endpoint can be used to update an asset of a program. When the API request is successful, a structured scope object will be returned.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
id path integer true The ID of the structured scope.
data body object true The information to update a structured scope.
» type body string true none
» attributes body object true none
»» asset_identifier body string true The identifier of the asset.
»» eligible_for_bounty body boolean false If the asset is eligible for bounty.
»» eligible_for_submission body boolean false If the asset is eligible for submission.
»» instruction body string false The raw instruction of the asset provided by the program (markdown is not parsed).
»» confidentiality_requirement body string false A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset.
»» integrity_requirement body string false A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset.
»» availability_requirement body string false A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset.
»» max_severity body severity-ratings false none
»» reference body string false The customer defined reference identifier or tag of the asset.

Enumerated Values

Parameter Value
» type structured-scope
»» confidentiality_requirement none
»» confidentiality_requirement low
»» confidentiality_requirement medium
»» confidentiality_requirement high
»» integrity_requirement none
»» integrity_requirement low
»» integrity_requirement medium
»» integrity_requirement high
»» availability_requirement none
»» availability_requirement low
»» availability_requirement medium
»» availability_requirement high
»» max_severity none
»» max_severity low
»» max_severity medium
»» max_severity high
»» max_severity critical

Archive Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
  -X DELETE \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.delete(
  'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
  method: 'DELETE',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "57",
  "type": "structured-scope",
  "attributes": {
    "asset_identifier": "api.example.com",
    "asset_type": "URL",
    "confidentiality_requirement": "high",
    "integrity_requirement": "high",
    "availability_requirement": "high",
    "max_severity": "critical",
    "created_at": "2015-02-02T04:05:06.000Z",
    "updated_at": "2016-05-02T04:05:06.000Z",
    "instruction": null,
    "eligible_for_bounty": true,
    "eligible_for_submission": true,
    "reference": "H001001"
  }
}

DELETE /programs/{program_id}/structured_scopes/{id}

This endpoint can be used to archive an asset of a program. When the API request is successful, a structured scope object will be returned.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program. You can find the program ID by fetching your programs.
id path integer true The ID of the structured scope.

Get Awarded Swag

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/swag" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/swag',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/swag',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/swag");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/swag',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/swag", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": [
    {
      "id": "8",
      "type": "swag",
      "attributes": {
        "sent": true,
        "created_at": "2019-08-30T08:33:42.147Z"
      },
      "relationships": {
        "user": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "address": {
          "data": {
            "id": "1337",
            "type": "address",
            "attributes": {
              "name": "Jane Doe",
              "street": "535 Mission Street",
              "city": "San Francisco",
              "postal_code": "94105",
              "state": "CA",
              "country": "United States of America",
              "created_at": "2016-02-02T04:05:06.000Z",
              "tshirt_size": "M_Large",
              "phone_number": "+1-510-000-0000"
            }
          }
        }
      }
    },
    {
      "id": "7",
      "type": "swag",
      "attributes": {
        "sent": false,
        "created_at": "2019-08-20T03:47:04.163Z"
      },
      "relationships": {
        "user": {
          "data": {
            "id": "1338",
            "type": "user",
            "attributes": {
              "username": "johndoe",
              "name": "John Doe",
              "disabled": false,
              "created_at": "2017-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "address": {
          "data": {
            "id": "1337",
            "type": "address",
            "attributes": {
              "name": "John Smith",
              "street": "535 Mission Street",
              "city": "New York",
              "postal_code": "10001",
              "state": "NY",
              "country": "United States of America",
              "created_at": "2017-01-03T07:08:09.000Z",
              "tshirt_size": "M_Large",
              "phone_number": "+1-212-000-0000"
            }
          }
        }
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/swag

Awarded swag can be fetched by sending a GET request to the swag endpoint. When the request is successful, the API will respond with paginated swag objects.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Mark Swag as Sent

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "swag",
    "attributes": {
      "sent": true
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "swag",
    "attributes": {
      "sent": true
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "swag",
    "attributes": {
      "sent": true
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/swag/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"swag\",\n    \"attributes\": {\n      \"sent\": true\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"swag\",\n    \"attributes\": {\n      \"sent\": true\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"swag\",\n    \"attributes\": {\n      \"sent\": true\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": {
    "id": "8",
    "type": "swag",
    "attributes": {
      "sent": true,
      "created_at": "2019-08-30T08:33:42.147Z"
    },
    "relationships": {
      "user": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "address": {
        "data": {
          "id": "1337",
          "type": "address",
          "attributes": {
            "name": "Jane Doe",
            "street": "535 Mission Street",
            "city": "San Francisco",
            "postal_code": "94105",
            "state": "CA",
            "country": "United States of America",
            "created_at": "2016-02-02T04:05:06.000Z",
            "tshirt_size": "M_Large",
            "phone_number": "+1-510-000-0000"
          }
        }
      }
    }
  }
}

PUT /programs/{program_id}/swag/{id}

The status of swag can be updated to "sent" through this endpoint. When the request is successful, the API will respond with a swag object.

Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
program_id path integer true The ID of the program.
id path integer true The ID of the swag.
data body object true The information to change the status of swag.
» type body string true The public message posted on the report (this is always required).
» attributes body object true none
»» sent body boolean true none

Enumerated Values

Parameter Value
» type swag
»» sent true

Get Thanks to Hackers

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/thanks" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/thanks',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/thanks',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/thanks");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/thanks',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/thanks", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": [
    {
      "type": "thanks-item",
      "attributes": {
        "total_report_count": 1,
        "reputation": 7,
        "recognized_report_count": 1,
        "username": "lorem",
        "user_id": "55"
      }
    },
    {
      "type": "thanks-item",
      "attributes": {
        "total_report_count": 1,
        "reputation": 22,
        "recognized_report_count": 1,
        "username": "ipsum",
        "user_id": "56"
      }
    },
    {
      "type": "thanks-item",
      "attributes": {
        "total_report_count": 5,
        "reputation": 38,
        "recognized_report_count": 3,
        "username": "adam",
        "user_id": "57"
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/thanks

This endpoint enables you to view a program's thanks to hackers.

A program's thanks items can be fetched by sending a GET request to the thanks endpoint. When the request is successful, the API will respond with paginated thanks items objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Get Weaknesses

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/weaknesses" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}/weaknesses',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}/weaknesses',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/weaknesses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}/weaknesses',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/weaknesses", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": [
    {
      "id": "1337",
      "type": "weakness",
      "attributes": {
        "name": "Cross-Site Request Forgery (CSRF)",
        "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
        "created_at": "2016-02-02T04:05:06.000Z",
        "external_id": "cwe-352"
      }
    },
    {
      "id": "1338",
      "type": "weakness",
      "attributes": {
        "name": "SQL Injection",
        "description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
        "created_at": "2016-03-02T04:05:06.000Z",
        "external_id": "cwe-89"
      }
    }
  ],
  "links": {}
}

GET /programs/{id}/weaknesses

The Weakness endpoint enables you to retrieve a list of all weaknesses of the program.

Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.

Parameters

Name In Type Required Description
id path integer true The ID of the program.
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Get Program

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/programs/{id}',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/programs/{id}',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/programs/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/programs/{id}',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": {
    "id": "1337",
    "type": "program",
    "attributes": {
      "handle": "security",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z"
    },
    "relationships": {
      "groups": {
        "data": [
          {
            "id": "2557",
            "type": "group",
            "attributes": {
              "name": "Standard",
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "report_management",
                "reward_management"
              ]
            }
          },
          {
            "id": "2558",
            "type": "group",
            "attributes": {
              "name": "Admin",
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "user_management",
                "program_management"
              ]
            }
          }
        ]
      },
      "members": {
        "data": [
          {
            "id": "1339",
            "type": "member",
            "attributes": {
              "created_at": "2016-02-02T04:05:06.000Z",
              "permissions": [
                "program_management",
                "report_management",
                "reward_management",
                "user_management"
              ]
            },
            "relationships": {
              "user": {
                "data": {
                  "id": "1337",
                  "type": "user",
                  "attributes": {
                    "username": "api-example",
                    "name": "API Example",
                    "disabled": false,
                    "created_at": "2016-02-02T04:05:06.000Z",
                    "profile_picture": {
                      "62x62": "/assets/avatars/default.png",
                      "82x82": "/assets/avatars/default.png",
                      "110x110": "/assets/avatars/default.png",
                      "260x260": "/assets/avatars/default.png"
                    }
                  }
                }
              }
            }
          }
        ]
      }
    }
  }
}

GET /programs/{id}

A program object can be fetched by sending a GET request to a unique program object. When the request is successful, the API will respond with a program object.

The following program relationships are included: groups, members, custom field attributes and policy attachments.

Parameters

Name In Type Required Description
id path integer true The ID of the program. Find the program ID by fetching your programs

Reports

Create Comment

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/activities" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "activity-comment",
    "attributes": {
      "message": "string",
      "internal": true
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "activity-comment",
    "attributes": {
      "message": "string",
      "internal": true
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/activities',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "activity-comment",
    "attributes": {
      "message": "string",
      "internal": true
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/activities',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/activities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"activity-comment\",\n    \"attributes\": {\n      \"message\": \"string\",\n      \"internal\": true\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"activity-comment\",\n    \"attributes\": {\n      \"message\": \"string\",\n      \"internal\": true\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/activities',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"activity-comment\",\n    \"attributes\": {\n      \"message\": \"string\",\n      \"internal\": true\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/activities", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

201 Response

{
  "data": {
    "id": "1337",
    "type": "activity-comment",
    "attributes": {
      "message": "A fix has been deployed. Can you retest, please?",
      "created_at": "2016-02-02T04:05:06.000Z",
      "updated_at": "2016-02-02T04:05:06.000Z",
      "internal": false
    },
    "relationships": {
      "actor": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      }
    }
  }
}

POST /reports/{id}/activities

Both public and internal comments can be posted with this endpoint. Comments require a message before they will be posted. If a public comment is posted, any user that is subscribed to the report will receive a notification of the created comment. For internal comments, only people that are managing the program who are subscribed to the report will receive a notification.

Required permissions: Report Management. Enables you to post public comments. Posting internal comments do not require any additional permissions. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to create a comment object for the report.
» type body string true Type of activity.
» attributes body object true none
»» message body string true The message that will be posted.
»» internal body boolean true A boolean that indicates whether the comment should

Detailed descriptions

»» internal: A boolean that indicates whether the comment should be internal or public. Internal comments are only viewable by the users that manage the program. Public comments are viewable by everyone, including the person that submitted the report.

Enumerated Values

Parameter Value
» type activity-comment

Update Assignee

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/assignee" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "id": 0,
    "type": "user",
    "attributes": {
      "message": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "id": 0,
    "type": "user",
    "attributes": {
      "message": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/reports/{id}/assignee',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "id": 0,
    "type": "user",
    "attributes": {
      "message": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/reports/{id}/assignee',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/assignee");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"id\": 0,\n    \"type\": \"user\",\n    \"attributes\": {\n      \"message\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"id\": 0,\n    \"type\": \"user\",\n    \"attributes\": {\n      \"message\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/assignee',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"id\": 0,\n    \"type\": \"user\",\n    \"attributes\": {\n      \"message\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/assignee", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2016-02-02T04:05:06.000Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": null,
    "first_program_activity_at": null,
    "last_program_activity_at": null,
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_activity_at": null,
    "issue_tracker_reference_url": "https://example.com/reference",
    "cve_ids": []
  },
  "relationships": {
    "reporter": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          },
          "reputation": 7,
          "signal": 7,
          "impact": 30
        }
      }
    },
    "assignee": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "member",
          "name": "Member",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "program": {
      "data": {
        "id": "1337",
        "type": "program",
        "attributes": {
          "handle": "security",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "swag": {
      "data": []
    },
    "attachments": {
      "data": []
    },
    "weakness": {
      "data": {
        "id": "1337",
        "type": "weakness",
        "attributes": {
          "name": "Cross-Site Request Forgery (CSRF)",
          "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
          "external_id": "cwe-352",
          "created_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "activities": {
      "data": [
        {
          "id": "1337",
          "type": "activity-user-assigned-to-bug",
          "attributes": {
            "message": "@member Please check this out!",
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z",
            "internal": true
          },
          "relationships": {
            "actor": {
              "data": {
                "id": "1338",
                "type": "user",
                "attributes": {
                  "username": "api_example_company",
                  "name": null,
                  "disabled": false,
                  "created_at": "2016-02-02T04:05:06.000Z",
                  "profile_picture": {
                    "62x62": "/assets/avatars/default.png",
                    "82x82": "/assets/avatars/default.png",
                    "110x110": "/assets/avatars/default.png",
                    "260x260": "/assets/avatars/default.png"
                  }
                }
              }
            },
            "assigned_user": {
              "data": {
                "id": "1337",
                "type": "user",
                "attributes": {
                  "username": "member",
                  "name": "Member",
                  "disabled": false,
                  "created_at": "2016-02-02T04:05:06.000Z",
                  "profile_picture": {
                    "62x62": "/assets/avatars/default.png",
                    "82x82": "/assets/avatars/default.png",
                    "110x110": "/assets/avatars/default.png",
                    "260x260": "/assets/avatars/default.png"
                  }
                }
              }
            }
          }
        }
      ]
    },
    "bounties": {
      "data": []
    },
    "summaries": {
      "data": []
    }
  }
}

PUT /reports/{id}/assignee

A user or group can be assigned to a report with this endpoint. An optional message can be specified, which will be posted as an internal comment to the report subscribers. Only users and groups that are part of the program can be assigned. It is not possible to assign API users to a report.

When assigning a single user to a report, that user will automatically be subscribed to the report. In case a group is assigned to a report, all users that are part of that group are subscribed to the report. Subscribers will receive a notification that the report was assigned.

In case the request was successful, the API will respond with the updated report object.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true Contains the information to assign a user or group object to the report, or to clear the assignee of a report.
» id body integer false The ID of the user or group. This is required unless the type is 'nobody'
» type body string true Specifies whether a user or group should be assigned, or if the assignee should be cleared.
» attributes body object false none
»» message body string false The message that will be posted to the assigned user or group.

Enumerated Values

Parameter Value
» type user
» type group
» type nobody

Award Bounty

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounties" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "message": "string",
    "amount": 0,
    "bonus_amount": 0
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "message": "string",
    "amount": 0,
    "bonus_amount": 0
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/bounties',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "message": "string",
    "amount": 0,
    "bonus_amount": 0
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/bounties',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"message\": \"string\",\n    \"amount\": 0,\n    \"bonus_amount\": 0\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"message\": \"string\",\n    \"amount\": 0,\n    \"bonus_amount\": 0\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/bounties',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"message\": \"string\",\n    \"amount\": 0,\n    \"bonus_amount\": 0\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/bounties", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

201 Response

{
  "id": "1337",
  "type": "bounty",
  "attributes": {
    "amount": "500.00",
    "bonus_amount": "50.00",
    "created_at": "2016-02-02T04:05:06.000Z"
  }
}

POST /reports/{id}/bounties

You can use this endpoint to award bounties to the reporter of the provided report.

Required permissions: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

In addition, your program needs to be able to award bounties and the report needs to be eligible for bounties. If either case is false, the call will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information required to create a bounty.
» message body string true The public message posted on the report. This is always required.
» amount body number false The bounty award to award to the reporter. Only amount or bonus amount is required. It must be a positive number and, when provided, must be equal to or greater than your minimum bounty.
» bonus_amount body number false The bonus amount to award to the reporter. Only amount or bonus amount is required. It must be a positive number.

Mark as Ineligible for Bounty

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-ineligible-for-bounty"
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-ineligible-for-bounty"
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-ineligible-for-bounty"
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-ineligible-for-bounty\"\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-ineligible-for-bounty\"\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-ineligible-for-bounty\"\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2016-02-02T04:05:06.000Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": null,
    "first_program_activity_at": null,
    "last_program_activity_at": null,
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": null,
    "last_activity_at": null,
    "issue_tracker_reference_url": "https://example.com/reference",
    "cve_ids": [],
    "source": null,
    "reporter_agreed_on_going_public_at": null
  },
  "relationships": {
    "reporter": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          },
          "reputation": 7,
          "signal": 7,
          "impact": 30
        }
      }
    },
    "program": {
      "data": {
        "id": "1337",
        "type": "program",
        "attributes": {
          "handle": "security",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "swag": {
      "data": []
    },
    "attachments": {
      "data": []
    },
    "weakness": {
      "data": {
        "id": "1337",
        "type": "weakness",
        "attributes": {
          "name": "Cross-Site Request Forgery (CSRF)",
          "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
          "external_id": "cwe-352",
          "created_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "structured_scope": {
      "data": {
        "id": "287",
        "type": "structured-scope",
        "attributes": {
          "asset_type": "URL",
          "asset_identifier": "www.hackerone.com",
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "instruction": "This asset does not contain any highly confidential information.",
          "max_severity": "critical",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z",
          "reference": "T12345",
          "confidentiality_requirement": "medium",
          "integrity_requirement": "high",
          "availability_requirement": "medium"
        }
      }
    },
    "activities": {
      "data": []
    },
    "bounties": {
      "data": []
    },
    "summaries": {
      "data": []
    }
  }
}

PUT /reports/{id}/ineligible_for_bounty

Marking a report as ineligible for bounty through the HackerOne API can be useful to programmatically batch update received reports in HackerOne.

Marking a report as ineligible for bounty can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to mark a report as ineligible for bounty.
» type body string true none

Enumerated Values

Parameter Value
» type report-ineligible-for-bounty

List bounty suggestions

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounty_suggestions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "bounty",
  "attributes": {
    "amount": "500.00",
    "bonus_amount": "50.00",
    "created_at": "2016-02-02T04:05:06.000Z"
  }
}

GET /reports/{id}/bounty_suggestions

This API endpoint allows a user to retrieve a list of bounty suggestions for a report.

Parameters

Name In Type Required Description
id path integer true The ID of the report.

Create bounty suggestion

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "message": "string",
    "amount": 0,
    "bonus_amount": 0
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "message": "string",
    "amount": 0,
    "bonus_amount": 0
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "message": "string",
    "amount": 0,
    "bonus_amount": 0
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounty_suggestions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"message\": \"string\",\n    \"amount\": 0,\n    \"bonus_amount\": 0\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"message\": \"string\",\n    \"amount\": 0,\n    \"bonus_amount\": 0\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"message\": \"string\",\n    \"amount\": 0,\n    \"bonus_amount\": 0\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

201 Response

{
  "id": "1337",
  "type": "activity-bounty-suggested",
  "attributes": {
    "message": "Bounty Suggested!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": true,
    "bounty_amount": "500",
    "bonus_amount": "50"
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

POST /reports/{id}/bounty_suggestions

You can use this endpoint to suggest bounties to the provided report.

Required permissions: Reward Management or Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true none
» message body string true (Always required) The internal message posted on the report. Only viewable by team members.
» amount body integer false The suggested bounty award to award the reporter. Only amount or bonus amount is required. It must be a positive number, and, when provided, must be equal to or greater than your minimum amount.
» bonus_amount body integer false The suggested bonus amount to award to the reporter. Only amount or bonus amount is required. It must be a positive number.

Close Comments

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/close_comments" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "activity-comments-closed"
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "activity-comments-closed"
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/reports/{id}/close_comments',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "activity-comments-closed"
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/reports/{id}/close_comments',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/close_comments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"activity-comments-closed\"\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"activity-comments-closed\"\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/close_comments',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"activity-comments-closed\"\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/close_comments", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "activity-comments-closed",
  "attributes": {
    "message": "Comments Closed!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

PUT /reports/{id}/close_comments

A report can only be locked once. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform or reported to other teams.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to lock the report.
» type body string true none

Enumerated Values

Parameter Value
» type activity-comments-closed

Manage Custom Field Values

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/custom_field_values" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "attributes": {
      "custom_field_attribute_id": 0,
      "value": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "attributes": {
      "custom_field_attribute_id": 0,
      "value": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/custom_field_values',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "attributes": {
      "custom_field_attribute_id": 0,
      "value": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/custom_field_values',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/custom_field_values");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"attributes\": {\n      \"custom_field_attribute_id\": 0,\n      \"value\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"attributes\": {\n      \"custom_field_attribute_id\": 0,\n      \"value\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/custom_field_values',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"attributes\": {\n      \"custom_field_attribute_id\": 0,\n      \"value\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/custom_field_values", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "custom-field-value",
  "attributes": {
    "value": "Infrastructure",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z"
  },
  "relationships": {
    "custom_field_attribute": {
      "data": {
        "id": "287",
        "type": "custom-field-attribute",
        "attributes": {
          "label": "Product Squad",
          "configuration": null,
          "created_at": "2013-01-01T00:00:00.000Z",
          "updated_at": "2013-01-01T00:00:00.000Z",
          "archived_at": null
        }
      }
    }
  }
}

POST /reports/{id}/custom_field_values

You can use this endpoint to create / update the Custom Field Values of the provided report. If the report already has a value for the provided Custom Field Attribute ID, the value will be replaced. To get a list of existing Custom Field Attributes, see program. This feature is only available to select programs at this time.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information required to create a Custom Field Value.
» attributes body object true none
»» custom_field_attribute_id body integer true The Custom Field Attribute ID for which a value needs to be set. A complete list of available Custom Field Attribute IDs is exposed on the Program object.
»» value body string false The value that needs to be set for the given Custom Field Attribute. Leave this field empty to remove a Custom Field Attribute from a report.

Update Disclosure Request

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/disclosure_requests" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "attributes": {
      "substate": "full",
      "message": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "attributes": {
      "substate": "full",
      "message": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "attributes": {
      "substate": "full",
      "message": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/disclosure_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"attributes\": {\n      \"substate\": \"full\",\n      \"message\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"attributes\": {\n      \"substate\": \"full\",\n      \"message\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"attributes\": {\n      \"substate\": \"full\",\n      \"message\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/disclosure_requests", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "activity-agreed-on-going-public",
  "attributes": {
    "message": "Agreed On Going Public!",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

POST /reports/{id}/disclosure_requests

The program can request disclosure for any closed report.

You can use this endpoint to create the disclosure request for the report which will result in:

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true This object contains the information about disclosure request.
» attributes body object true none
»» substate body string true Select whether you want to disclose the full report ("full") or a
»» message body string false Additional information

Detailed descriptions

»» substate: Select whether you want to disclose the full report ("full") or a limited version ("no-content"). Possible values: full, no-content

Enumerated Values

Parameter Value
»» substate full
»» substate no-content

Cancel Disclosure Request

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/disclosure_requests" \
  -X DELETE \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {}
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {}
}

r = requests.delete(
  'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {}
}

result = RestClient::Request.execute(
  method: :delete,
  url: 'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/disclosure_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("DELETE");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {}\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {}\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
{
  method: 'DELETE',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {}\n}"`))

    req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/reports/{id}/disclosure_requests", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "activity-cancelled-disclosure-request",
  "attributes": {
    "message": "Cancel disclosure 1",
    "created_at": "2019-10-23T13:35:35.616Z",
    "updated_at": "2019-10-23T13:35:35.616Z",
    "internal": false
  },
  "relationships": {
    "actor": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api_user",
          "name": null,
          "disabled": false,
          "created_at": "2019-10-14T13:59:49.563Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          },
          "signal": null,
          "impact": null,
          "reputation": null,
          "bio": null,
          "website": null,
          "location": null,
          "hackerone_triager": false
        }
      }
    }
  }
}

DELETE /reports/{id}/disclosure_requests

The program can cancel the disclosure request for the provided report.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true none

Add participant

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/participants" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-participant",
    "attributes": {
      "email": "string",
      "username": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-participant",
    "attributes": {
      "email": "string",
      "username": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/participants',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-participant",
    "attributes": {
      "email": "string",
      "username": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/participants',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/participants");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-participant\",\n    \"attributes\": {\n      \"email\": \"string\",\n      \"username\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-participant\",\n    \"attributes\": {\n      \"email\": \"string\",\n      \"username\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/participants',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-participant\",\n    \"attributes\": {\n      \"email\": \"string\",\n      \"username\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/participants", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "117",
  "type": "report-participant",
  "attributes": {
    "report_id": "1337",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z"
  }
}

POST /reports/{id}/participants

Participants can be added through this endpoint by an email address or a HackerOne username. It can be useful to programmatically batch update received reports in HackerOne. This API endpoint cannot be used for reports that are published and have been reported outside of the HackerOne platform.

Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to add a participant.
» type body string true none
» attributes body object true none
»» email body string false The email address of the participant. Required when username is not provided.
»» username body string false The HackerOne username of the participant. Required when email address is not provided.

Enumerated Values

Parameter Value
» type report-participant

Redact report

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/redact" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-redact",
    "attributes": {
      "string_to_redact": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-redact",
    "attributes": {
      "string_to_redact": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/reports/{id}/redact',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-redact",
    "attributes": {
      "string_to_redact": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/reports/{id}/redact',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/redact");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-redact\",\n    \"attributes\": {\n      \"string_to_redact\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-redact\",\n    \"attributes\": {\n      \"string_to_redact\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/redact',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-redact\",\n    \"attributes\": {\n      \"string_to_redact\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/redact", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2016-02-02T04:05:06.000Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": null,
    "first_program_activity_at": null,
    "last_program_activity_at": null,
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": null,
    "last_activity_at": null,
    "issue_tracker_reference_url": "https://example.com/reference",
    "cve_ids": [],
    "source": null,
    "reporter_agreed_on_going_public_at": null
  },
  "relationships": {
    "reporter": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          },
          "reputation": 7,
          "signal": 7,
          "impact": 30
        }
      }
    },
    "program": {
      "data": {
        "id": "1337",
        "type": "program",
        "attributes": {
          "handle": "security",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "swag": {
      "data": []
    },
    "attachments": {
      "data": []
    },
    "weakness": {
      "data": {
        "id": "1337",
        "type": "weakness",
        "attributes": {
          "name": "Cross-Site Request Forgery (CSRF)",
          "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
          "external_id": "cwe-352",
          "created_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "structured_scope": {
      "data": {
        "id": "287",
        "type": "structured-scope",
        "attributes": {
          "asset_type": "URL",
          "asset_identifier": "www.hackerone.com",
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "instruction": "This asset does not contain any highly confidential information.",
          "max_severity": "critical",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z",
          "reference": "T12345",
          "confidentiality_requirement": "medium",
          "integrity_requirement": "high",
          "availability_requirement": "medium"
        }
      }
    },
    "activities": {
      "data": []
    },
    "bounties": {
      "data": []
    },
    "summaries": {
      "data": []
    }
  }
}

PUT /reports/{id}/redact

Reports can be redacted through this endpoint. It can be useful to programmatically batch update received reports in HackerOne. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to redact a report.
» type body string true none
» attributes body object true none
»» string_to_redact body string true The content to be redacted from the report.

Enumerated Values

Parameter Value
» type report-redact

Update Severity

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/severities" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "id": "57",
    "type": "severity",
    "attributes": {
      "rating": "high",
      "author_type": "User",
      "user_id": 1337,
      "created_at": "2016-02-02T04:05:06.000Z",
      "score": 8.7,
      "attack_complexity": "low",
      "attack_vector": "adjacent",
      "availability": "high",
      "confidentiality": "low",
      "integrity": "high",
      "privileges_required": "low",
      "user_interaction": "required",
      "scope": "changed"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "id": "57",
    "type": "severity",
    "attributes": {
      "rating": "high",
      "author_type": "User",
      "user_id": 1337,
      "created_at": "2016-02-02T04:05:06.000Z",
      "score": 8.7,
      "attack_complexity": "low",
      "attack_vector": "adjacent",
      "availability": "high",
      "confidentiality": "low",
      "integrity": "high",
      "privileges_required": "low",
      "user_interaction": "required",
      "scope": "changed"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/severities',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "id": "57",
    "type": "severity",
    "attributes": {
      "rating": "high",
      "author_type": "User",
      "user_id": 1337,
      "created_at": "2016-02-02T04:05:06.000Z",
      "score": 8.7,
      "attack_complexity": "low",
      "attack_vector": "adjacent",
      "availability": "high",
      "confidentiality": "low",
      "integrity": "high",
      "privileges_required": "low",
      "user_interaction": "required",
      "scope": "changed"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/severities',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/severities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"id\": \"57\",\n    \"type\": \"severity\",\n    \"attributes\": {\n      \"rating\": \"high\",\n      \"author_type\": \"User\",\n      \"user_id\": 1337,\n      \"created_at\": \"2016-02-02T04:05:06.000Z\",\n      \"score\": 8.7,\n      \"attack_complexity\": \"low\",\n      \"attack_vector\": \"adjacent\",\n      \"availability\": \"high\",\n      \"confidentiality\": \"low\",\n      \"integrity\": \"high\",\n      \"privileges_required\": \"low\",\n      \"user_interaction\": \"required\",\n      \"scope\": \"changed\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"id\": \"57\",\n    \"type\": \"severity\",\n    \"attributes\": {\n      \"rating\": \"high\",\n      \"author_type\": \"User\",\n      \"user_id\": 1337,\n      \"created_at\": \"2016-02-02T04:05:06.000Z\",\n      \"score\": 8.7,\n      \"attack_complexity\": \"low\",\n      \"attack_vector\": \"adjacent\",\n      \"availability\": \"high\",\n      \"confidentiality\": \"low\",\n      \"integrity\": \"high\",\n      \"privileges_required\": \"low\",\n      \"user_interaction\": \"required\",\n      \"scope\": \"changed\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/severities',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"id\": \"57\",\n    \"type\": \"severity\",\n    \"attributes\": {\n      \"rating\": \"high\",\n      \"author_type\": \"User\",\n      \"user_id\": 1337,\n      \"created_at\": \"2016-02-02T04:05:06.000Z\",\n      \"score\": 8.7,\n      \"attack_complexity\": \"low\",\n      \"attack_vector\": \"adjacent\",\n      \"availability\": \"high\",\n      \"confidentiality\": \"low\",\n      \"integrity\": \"high\",\n      \"privileges_required\": \"low\",\n      \"user_interaction\": \"required\",\n      \"scope\": \"changed\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/severities", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "57",
  "type": "severity",
  "attributes": {
    "rating": "high",
    "author_type": "User",
    "user_id": 1337,
    "created_at": "2016-02-02T04:05:06.000Z",
    "score": 8.7,
    "attack_complexity": "low",
    "attack_vector": "adjacent",
    "availability": "high",
    "confidentiality": "low",
    "integrity": "high",
    "privileges_required": "low",
    "user_interaction": "required",
    "scope": "changed"
  }
}

POST /reports/{id}/severities

You can use this endpoint to create or update the severity of the provided report. If the report already has a severity, a new one will be created and used as the current severity.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body severity true A severity object represents the severity of a report, if provided by the reporter or
» id body string true The unique ID of the severity.
» type body string true none
» attributes body object true none
»» rating body severity-ratings true none
»» author_type body string true The involved party that provided the severity.
»» user_id body integer true The unique id of the user who created the object.
»» score body number¦null false The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS).
»» attack_vector body string¦null false A CVSS metric that reflects the context by which vulnerability exploritation
»» attack_complexity body string false A CVSS metric that describes the conditions beyond the attacker's control that must exist
»» privileges_required body string false A CVSS metric that describes the level of privileges an attacker must possess before
»» user_interaction body string false A CVSS metric that captures the requirement for a user, other than the attacker, to
»» scope body string¦null false A CVSS metric that determines if a successful attack impacts a component other than the
»» confidentiality body string false A CVSS metric that measures the impact to the confidentiality of the information resources
»» integrity body string false A CVSS metric that measures the impact to the integrity of a successfully exploited
»» availability body string false A CVSS metric that measures the availability of the impacted component resulting from a
»» created_at body string(date-time) true The date and time the object was created. Formatted according to ISO 8601.

Detailed descriptions

data: A severity object represents the severity of a report, if provided by the reporter or a team member.

»» score: The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). Only present if CVSS metrics were provided.

»» attack_vector: A CVSS metric that reflects the context by which vulnerability exploritation is possible.

»» attack_complexity: A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability.

»» privileges_required: A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

»» user_interaction: A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component.

»» scope: A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component.

»» confidentiality: A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

»» integrity: A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability.

»» availability: A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability.

Enumerated Values

Parameter Value
» type severity
»» rating none
»» rating low
»» rating medium
»» rating high
»» rating critical
»» author_type User
»» author_type Team
»» attack_vector network
»» attack_vector adjacent
»» attack_vector local
»» attack_vector physical
»» attack_complexity low
»» attack_complexity high
»» privileges_required none
»» privileges_required low
»» privileges_required high
»» user_interaction none
»» user_interaction required
»» scope unchanged
»» scope changed
»» confidentiality none
»» confidentiality low
»» confidentiality high
»» integrity none
»» integrity low
»» integrity high
»» availability none
»» availability low
»» availability high

Change State

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/state_changes" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "state-change",
    "attributes": {
      "message": "string",
      "state": "new",
      "original_report_id": 0
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "state-change",
    "attributes": {
      "message": "string",
      "state": "new",
      "original_report_id": 0
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/state_changes',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "state-change",
    "attributes": {
      "message": "string",
      "state": "new",
      "original_report_id": 0
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/state_changes',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/state_changes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"state-change\",\n    \"attributes\": {\n      \"message\": \"string\",\n      \"state\": \"new\",\n      \"original_report_id\": 0\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"state-change\",\n    \"attributes\": {\n      \"message\": \"string\",\n      \"state\": \"new\",\n      \"original_report_id\": 0\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/state_changes',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"state-change\",\n    \"attributes\": {\n      \"message\": \"string\",\n      \"state\": \"new\",\n      \"original_report_id\": 0\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/state_changes", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

201 Response

{
  "id": "1337",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2016-02-02T04:05:06.000Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": null,
    "first_program_activity_at": null,
    "last_program_activity_at": null,
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": null,
    "last_activity_at": null,
    "issue_tracker_reference_url": "https://example.com/reference",
    "cve_ids": [],
    "source": null,
    "reporter_agreed_on_going_public_at": null
  },
  "relationships": {
    "reporter": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          },
          "reputation": 7,
          "signal": 7,
          "impact": 30
        }
      }
    },
    "program": {
      "data": {
        "id": "1337",
        "type": "program",
        "attributes": {
          "handle": "security",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "swag": {
      "data": []
    },
    "attachments": {
      "data": []
    },
    "weakness": {
      "data": {
        "id": "1337",
        "type": "weakness",
        "attributes": {
          "name": "Cross-Site Request Forgery (CSRF)",
          "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
          "external_id": "cwe-352",
          "created_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "structured_scope": {
      "data": {
        "id": "287",
        "type": "structured-scope",
        "attributes": {
          "asset_type": "URL",
          "asset_identifier": "www.hackerone.com",
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "instruction": "This asset does not contain any highly confidential information.",
          "max_severity": "critical",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z",
          "reference": "T12345",
          "confidentiality_requirement": "medium",
          "integrity_requirement": "high",
          "availability_requirement": "medium"
        }
      }
    },
    "activities": {
      "data": []
    },
    "bounties": {
      "data": []
    },
    "summaries": {
      "data": []
    }
  }
}

POST /reports/{id}/state_changes

Changing the state of a report can be done through this endpoint. Closing a report as resolved will automatically recognize the finder in the program's hall of fame and reputation will be given. If a report is closed as N/A, Informative, or Spam, reputation will be deducted from the finder's track record.

There is currently 1 feature missing in the state change API: the ability to invite the finder of the duplicate to the original report. This feature will be implemented in a future version of the API.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to change the state of a report.
» type body string true none
» attributes body object true none
»» message body string true The message that will be posted. Required when the new state is needs-more-info, informative, or duplicate.
»» state body report-states true none
»» original_report_id body integer false The ID of the report to use as the original report. Only available when closing the report as duplicate.

Enumerated Values

Parameter Value
» type state-change
»» state new
»» state triaged
»» state needs-more-info
»» state resolved
»» state not-applicable
»» state informative
»» state duplicate
»» state spam

Update Structured Scope

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/structured_scope" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-structured-scope",
    "attributes": {
      "structured_scope_id": 0
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-structured-scope",
    "attributes": {
      "structured_scope_id": 0
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/reports/{id}/structured_scope',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-structured-scope",
    "attributes": {
      "structured_scope_id": 0
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/reports/{id}/structured_scope',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/structured_scope");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-structured-scope\",\n    \"attributes\": {\n      \"structured_scope_id\": 0\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-structured-scope\",\n    \"attributes\": {\n      \"structured_scope_id\": 0\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/structured_scope',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-structured-scope\",\n    \"attributes\": {\n      \"structured_scope_id\": 0\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/structured_scope", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2016-02-02T04:05:06.000Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": null,
    "first_program_activity_at": null,
    "last_program_activity_at": null,
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": null,
    "last_activity_at": null,
    "issue_tracker_reference_url": "https://example.com/reference",
    "cve_ids": [],
    "source": null,
    "reporter_agreed_on_going_public_at": null
  },
  "relationships": {
    "reporter": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          },
          "reputation": 7,
          "signal": 7,
          "impact": 30
        }
      }
    },
    "program": {
      "data": {
        "id": "1337",
        "type": "program",
        "attributes": {
          "handle": "security",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "swag": {
      "data": []
    },
    "attachments": {
      "data": []
    },
    "weakness": {
      "data": {
        "id": "1337",
        "type": "weakness",
        "attributes": {
          "name": "Cross-Site Request Forgery (CSRF)",
          "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
          "external_id": "cwe-352",
          "created_at": "2016-02-02T04:05:06.000Z"
        }
      }
    },
    "structured_scope": {
      "data": {
        "id": "287",
        "type": "structured-scope",
        "attributes": {
          "asset_type": "URL",
          "asset_identifier": "www.hackerone.com",
          "eligible_for_bounty": true,
          "eligible_for_submission": true,
          "instruction": "This asset does not contain any highly confidential information.",
          "max_severity": "critical",
          "created_at": "2016-02-02T04:05:06.000Z",
          "updated_at": "2016-02-02T04:05:06.000Z",
          "reference": "T12345",
          "confidentiality_requirement": "medium",
          "integrity_requirement": "high",
          "availability_requirement": "medium"
        }
      }
    },
    "activities": {
      "data": []
    },
    "bounties": {
      "data": []
    },
    "summaries": {
      "data": []
    }
  }
}

PUT /reports/{id}/structured_scope

Changing the structured scope of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to change the structured scope of a report.
» type body string true none
» attributes body object true none
»» structured_scope_id body integer true The new structured scope that will be set on the report.

Enumerated Values

Parameter Value
» type report-structured-scope

Add Summary

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/summaries" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-summary",
    "attributes": {
      "content": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-summary",
    "attributes": {
      "content": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/summaries',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-summary",
    "attributes": {
      "content": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/summaries',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/summaries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-summary\",\n    \"attributes\": {\n      \"content\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-summary\",\n    \"attributes\": {\n      \"content\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/summaries',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-summary\",\n    \"attributes\": {\n      \"content\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/summaries", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "report-summary",
  "attributes": {
    "content": "There was a cross-site scripting vulnerability in our login form.",
    "category": "team",
    "created_at": "2016-02-02T04:05:06.000Z",
    "updated_at": "2016-02-02T04:05:06.000Z"
  },
  "relationships": {
    "user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    }
  }
}

POST /reports/{id}/summaries

This API endpoint enables the user to create a report summary for reports that are received by teams that the user is a part of.

A team can only include a single report summary. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform or reported to other teams.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information necessary to create a report summary.
» type body string true none
» attributes body object true none
»» content body string true The content to be included in the report summary.

Enumerated Values

Parameter Value
» type report-summary

Award Swag

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/swags" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "message": "string"
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "message": "string"
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports/{id}/swags',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "message": "string"
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports/{id}/swags',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/swags");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"message\": \"string\"\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"message\": \"string\"\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/swags',
{
  method: 'POST',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"message\": \"string\"\n  }\n}"`))

    req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/swags", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "1337",
  "type": "swag",
  "attributes": {
    "sent": false,
    "created_at": "2016-02-02T04:05:06.000Z"
  },
  "relationships": {
    "user": {
      "data": {
        "id": "1337",
        "type": "user",
        "attributes": {
          "username": "api-example",
          "name": "API Example",
          "disabled": false,
          "created_at": "2016-02-02T04:05:06.000Z",
          "profile_picture": {
            "62x62": "/assets/avatars/default.png",
            "82x82": "/assets/avatars/default.png",
            "110x110": "/assets/avatars/default.png",
            "260x260": "/assets/avatars/default.png"
          }
        }
      }
    },
    "address": {
      "data": {
        "id": "1337",
        "type": "address",
        "attributes": {
          "name": "Jane Doe",
          "street": "535 Mission Street",
          "city": "San Francisco",
          "postal_code": "94105",
          "state": "CA",
          "country": "United States of America",
          "created_at": "2016-02-02T04:05:06.000Z",
          "tshirt_size": "W_Large",
          "phone_number": "+1-510-000-0000"
        }
      }
    }
  }
}

POST /reports/{id}/swags

You can use this endpoint to award swag to the reporter of the provided report.

Required permissions: Reward Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information required to award swag.
» message body string true The public message posted on the report. This is always required.

Update Title

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/title" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-title",
    "attributes": {
      "title": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-title",
    "attributes": {
      "title": "string"
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/reports/{id}/title',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-title",
    "attributes": {
      "title": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/reports/{id}/title',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/title");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-title\",\n    \"attributes\": {\n      \"title\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-title\",\n    \"attributes\": {\n      \"title\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/title',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-title\",\n    \"attributes\": {\n      \"title\": \"string\"\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/title", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": {
    "id": "1337",
    "type": "report",
    "attributes": {
      "title": "XSS in login form",
      "state": "new",
      "created_at": "2016-02-02T04:05:06.000Z",
      "vulnerability_information": "...",
      "triaged_at": null,
      "closed_at": null,
      "last_reporter_activity_at": null,
      "first_program_activity_at": null,
      "last_program_activity_at": null,
      "bounty_awarded_at": null,
      "swag_awarded_at": null,
      "disclosed_at": null,
      "source": null
    },
    "relationships": {
      "reporter": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "api-example",
            "name": "API Example",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "assignee": {
        "data": {
          "id": "1337",
          "type": "user",
          "attributes": {
            "username": "member",
            "name": "Member",
            "disabled": false,
            "created_at": "2016-02-02T04:05:06.000Z",
            "profile_picture": {
              "62x62": "/assets/avatars/default.png",
              "82x82": "/assets/avatars/default.png",
              "110x110": "/assets/avatars/default.png",
              "260x260": "/assets/avatars/default.png"
            }
          }
        }
      },
      "program": {
        "data": {
          "id": "1337",
          "type": "program",
          "attributes": {
            "handle": "security",
            "created_at": "2016-02-02T04:05:06.000Z",
            "updated_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "severity": {
        "data": {
          "id": "57",
          "type": "severity",
          "attributes": {
            "rating": "high",
            "author_type": "User",
            "user_id": 1337,
            "created_at": "2016-02-02T04:05:06.000Z",
            "score": 8.7,
            "attack_complexity": "low",
            "attack_vector": "adjacent",
            "availability": "high",
            "confidentiality": "low",
            "integrity": "high",
            "privileges_required": "low",
            "user_interaction": "required",
            "scope": "changed"
          }
        }
      },
      "swag": {
        "data": []
      },
      "attachments": {
        "data": []
      },
      "weakness": {
        "data": {
          "id": "1337",
          "type": "weakness",
          "attributes": {
            "name": "Cross-Site Request Forgery (CSRF)",
            "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
            "external_id": "cwe-352",
            "created_at": "2016-02-02T04:05:06.000Z"
          }
        }
      },
      "structured_scope": {
        "data": {
          "id": "57",
          "type": "structured-scope",
          "attributes": {
            "asset_identifier": "api.example.com",
            "asset_type": "url",
            "confidentiality_requirement": "high",
            "integrity_requirement": "high",
            "availability_requirement": "high",
            "max_severity": "critical",
            "created_at": "2015-02-02T04:05:06.000Z",
            "updated_at": "2016-05-02T04:05:06.000Z",
            "instruction": null,
            "eligible_for_bounty": true,
            "eligible_for_submission": true,
            "reference": "H001001"
          }
        }
      },
      "activities": {
        "data": [
          {
            "type": "activity-comment",
            "id": "445",
            "attributes": {
              "message": "Comment!",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z",
              "internal": false
            },
            "relationships": {
              "actor": {
                "data": {
                  "id": "1337",
                  "type": "user",
                  "attributes": {
                    "username": "api-example",
                    "name": "API Example",
                    "disabled": false,
                    "created_at": "2016-02-02T04:05:06.000Z",
                    "profile_picture": {
                      "62x62": "/assets/avatars/default.png",
                      "82x82": "/assets/avatars/default.png",
                      "110x110": "/assets/avatars/default.png",
                      "260x260": "/assets/avatars/default.png"
                    },
                    "signal": null,
                    "impact": null,
                    "reputation": null,
                    "bio": null,
                    "website": null,
                    "location": null,
                    "hackerone_triager": false
                  }
                }
              },
              "attachments": {
                "data": [
                  {
                    "id": "1337",
                    "type": "attachment",
                    "attributes": {
                      "expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
                      "created_at": "2016-02-02T04:05:06.000Z",
                      "file_name": "root.rb",
                      "content_type": "text/x-ruby",
                      "file_size": 2871
                    }
                  }
                ]
              }
            }
          },
          {
            "id": "1337",
            "type": "activity-bug-resolved",
            "attributes": {
              "message": "Bug Resolved!",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z",
              "internal": false
            },
            "relationships": {
              "actor": {
                "data": {
                  "id": "1337",
                  "type": "user",
                  "attributes": {
                    "username": "api-example",
                    "name": "API Example",
                    "disabled": false,
                    "created_at": "2016-02-02T04:05:06.000Z",
                    "profile_picture": {
                      "62x62": "/assets/avatars/default.png",
                      "82x82": "/assets/avatars/default.png",
                      "110x110": "/assets/avatars/default.png",
                      "260x260": "/assets/avatars/default.png"
                    }
                  }
                }
              }
            }
          }
        ]
      },
      "bounties": {
        "data": []
      },
      "summaries": {
        "data": []
      },
      "triggered_pre_submission_trigger": {
        "data": {
          "id": "1337",
          "type": "trigger",
          "attributes": {
            "title": "Example Trigger"
          }
        }
      },
      "custom_field_values": {
        "data": []
      }
    }
  }
}

PUT /reports/{id}/title

Changing the title of a report through the HackerOne API can be useful to programmatically batch update received reports in HackerOne. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to change the title of a report.
» type body string true none
» attributes body object false none
»» title body string true The new title that will be set on the report.

Enumerated Values

Parameter Value
» type report-title

Transfer Report

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/transfer" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-transfer",
    "attributes": {
      "target_team_id": 0
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-transfer",
    "attributes": {
      "target_team_id": 0
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/reports/{id}/transfer',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-transfer",
    "attributes": {
      "target_team_id": 0
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/reports/{id}/transfer',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/transfer");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-transfer\",\n    \"attributes\": {\n      \"target_team_id\": 0\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-transfer\",\n    \"attributes\": {\n      \"target_team_id\": 0\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/transfer',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-transfer\",\n    \"attributes\": {\n      \"target_team_id\": 0\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/transfer", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "was_successful": true
}

PUT /reports/{id}/transfer

The program can transfer reports between parent and child programs.

You can use this endpoint to transfer the reports between parent and child programs.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to transfer the report.
» type body string true none
» attributes body object true none
»» target_team_id body number true ID of the target team the reports should be transferred to.

Enumerated Values

Parameter Value
» type report-transfer

Update Weakness

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/weakness" \
  -X PUT \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report-weakness",
    "attributes": {
      "weakness_id": 0
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report-weakness",
    "attributes": {
      "weakness_id": 0
    }
  }
}

r = requests.put(
  'https://api.hackerone.com/v1/reports/{id}/weakness',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report-weakness",
    "attributes": {
      "weakness_id": 0
    }
  }
}

result = RestClient::Request.execute(
  method: :put,
  url: 'https://api.hackerone.com/v1/reports/{id}/weakness',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/weakness");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report-weakness\",\n    \"attributes\": {\n      \"weakness_id\": 0\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report-weakness\",\n    \"attributes\": {\n      \"weakness_id\": 0\n    }\n  }\n}";
let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Content-Type', 'application/json');  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports/{id}/weakness',
{
  method: 'PUT',
  body: inputBody,
  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "bytes"
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Content-Type": []string{"application/json"},
        "Accept": []string{"application/json"},

    }
    data := bytes.NewBuffer([]byte(`"{\n  \"data\": {\n    \"type\": \"report-weakness\",\n    \"attributes\": {\n      \"weakness_id\": 0\n    }\n  }\n}"`))

    req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/weakness", data)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "id": "77",
  "type": "report",
  "attributes": {
    "title": "XSS in login form",
    "state": "new",
    "created_at": "2019-08-20T14:26:19.286Z",
    "vulnerability_information": "...",
    "triaged_at": null,
    "closed_at": null,
    "last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
    "first_program_activity_at": "2019-08-20T14:26:20.531Z",
    "last_program_activity_at": "2019-08-20T15:25:56.627Z",
    "bounty_awarded_at": null,
    "swag_awarded_at": null,
    "disclosed_at": null,
    "last_public_activity_at": "2019-08-20T15:25:56.627Z",
    "last_activity_at": "2019-08-20T15:25:56.627Z",
    "cve_ids": []
  },
  "relationships": {
    "weakness": {
      "data": {
        "id": "77",
        "type": "weakness",
        "attributes": {
          "name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
          "description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
          "external_id": "cwe-350",
          "created_at": "2019-07-12T08:36:13.646Z"
        }
      }
    }
  }
}

PUT /reports/{id}/weakness

Changing the weakness of a report can be done through this endpoint. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.

Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.

Parameters

Name In Type Required Description
id path integer true The ID of the report.
data body object true The information to change the weakness of a report.
» type body string true none
» attributes body object true none
»» weakness_id body integer true The new weakness that will be set on the report.

Enumerated Values

Parameter Value
» type report-weakness

Get All Reports

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=string" \
  -X GET \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Accept: application/json'

import requests
headers = {
  'Accept': 'application/json'
}

r = requests.get(
  'https://api.hackerone.com/v1/reports',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  params={
      'filter[program][]': [
  "string"
]
  },
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Accept' => 'application/json'
}

result = RestClient::Request.execute(
  method: :get,
  url: 'https://api.hackerone.com/v1/reports',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}


let user = 'api_example_company';
let password = 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
  headers.set('Accept', 'application/json');

fetch('https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=string',
{
  method: 'GET',

  headers: headers
})
.then(function(res) {
    return res.json();
}).then(function(body) {
    console.log(body);
});

package main

import (
       "io/ioutil"
       "log"
       "net/http"
)

func main() { 
    headers := map[string][]string{
        "Accept": []string{"application/json"},

    }

    req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports", nil)
    req.Header = headers
    req.SetBasicAuth("api_example_company", "Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
      panic(err)
    }
    defer resp.Body.Close()

    body, _ := ioutil.ReadAll(resp.Body)

    log.Println(string(body))
}

200 Response

{
  "data": [
    {
      "id": "1337",
      "type": "report",
      "attributes": {
        "title": "XSS in login form",
        "state": "new",
        "created_at": "2016-02-02T04:05:06.000Z",
        "vulnerability_information": "...",
        "triaged_at": null,
        "closed_at": null,
        "last_reporter_activity_at": null,
        "first_program_activity_at": null,
        "last_program_activity_at": null,
        "bounty_awarded_at": null,
        "last_activity_at": null,
        "last_public_activity_at": null,
        "swag_awarded_at": null,
        "disclosed_at": null
      },
      "relationships": {
        "reporter": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "program": {
          "data": {
            "id": "1337",
            "type": "program",
            "attributes": {
              "handle": "security",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "weakness": {
          "data": {
            "id": "1337",
            "type": "weakness",
            "attributes": {
              "name": "Cross-Site Request Forgery (CSRF)",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "external_id": "cwe-352",
              "created_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "bounties": {
          "data": []
        }
      }
    },
    {
      "id": "1338",
      "type": "report",
      "attributes": {
        "title": "CSRF in admin panel",
        "state": "triaged",
        "created_at": "2016-02-02T04:05:06.000Z",
        "vulnerability_information": "...",
        "triaged_at": "2016-02-03T03:01:36.000Z",
        "closed_at": null,
        "last_reporter_activity_at": null,
        "first_program_activity_at": null,
        "last_program_activity_at": null,
        "bounty_awarded_at": null,
        "swag_awarded_at": null,
        "disclosed_at": null,
        "issue_tracker_reference_id": "T554",
        "issue_tracker_reference_url": "https://phabricator.tld/T554",
        "cve_ids": []
      },
      "relationships": {
        "reporter": {
          "data": {
            "id": "1337",
            "type": "user",
            "attributes": {
              "username": "api-example",
              "name": "API Example",
              "disabled": false,
              "created_at": "2016-02-02T04:05:06.000Z",
              "profile_picture": {
                "62x62": "/assets/avatars/default.png",
                "82x82": "/assets/avatars/default.png",
                "110x110": "/assets/avatars/default.png",
                "260x260": "/assets/avatars/default.png"
              }
            }
          }
        },
        "program": {
          "data": {
            "id": "1337",
            "type": "program",
            "attributes": {
              "handle": "security",
              "created_at": "2016-02-02T04:05:06.000Z",
              "updated_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "weakness": {
          "data": {
            "id": "1337",
            "type": "weakness",
            "attributes": {
              "name": "Cross-Site Request Forgery (CSRF)",
              "description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
              "external_id": "cwe-352",
              "created_at": "2016-02-02T04:05:06.000Z"
            }
          }
        },
        "bounties": {
          "data": []
        }
      }
    },
    "..."
  ],
  "links": {
    "self": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=1",
    "next": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=2",
    "last": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=5"
  }
}

GET /reports

Multiple report objects can be queried that meet certain filtering criteria by sending a GET request to the reports endpoint. When the request is successful, the API will respond with paginated report objects.

The following report relationships are included: reporter, assignee (a user or group), weakness, program, severity, structured scope, bounties, and custom field values.

Parameters

Name In Type Required Description
filter[program][] query array[string] true Filter by the program handles you want to fetch the reports for.
filter[reporter][] query array[string] false Filter by the hacker's username you want to fetch the reports for.
filter[assignee][] query array[string] false Filter by the assignee's usernames, emails or group names you want to fetch the reports for.
filter[state][] query array[string] false Filter by current report state.
filter[id][] query array[integer] false Filter by report ID.
filter[weakness_id][] query array[integer] false Filter by weakness.
filter[severity][] query array[string] false Filter by the severity ratings you want to fetch the reports for.
filter[hacker_published] query boolean false Filter by reports that are published by hackers, depending on the value of the parameter.
filter[created_at__gt] query any(date-time) false Filter by reports that were created after the date specified.
filter[created_at__lt] query any(date-time) false Filter by reports that were created before the date specified.
filter[triaged_at__gt] query any(date-time) false Filter by reports that were triaged after the date specified.
filter[triaged_at__lt] query any(date-time) false Filter by reports that were triaged before the date specified.
filter[triaged_at__null] query boolean false Filter by reports that are triaged or not, depending on the value of this parameter.
filter[closed_at__gt] query any(date-time) false Filter by reports that were closed after the date specified.
filter[closed_at__lt] query any(date-time) false Filter by reports that were closed before the date specified.
filter[closed_at__null] query boolean false Filter by reports that are closed or not, depending on the value of this parameter.
filter[disclosed_at__gt] query any(date-time) false Filter by reports that were disclosed after the date specified.
filter[disclosed_at__lt] query any(date-time) false Filter by reports that were disclosed before the date specified.
filter[disclosed_at__null] query boolean false Filter by reports that are disclosed.
filter[reporter_agreed_on_going_public] query boolean false Filter by reports that have the hacker disclosure request.
filter[bounty_awarded_at__gt] query any(date-time) false Filter by reports that have a bounty awarded after the date specified.
filter[bounty_awarded_at__lt] query any(date-time) false Filter by reports that have a bounty awarded before the date specified.
filter[bounty_awarded_at__null] query boolean false Filter by reports that have a bounty awarded.
filter[swag_awarded_at__gt] query any(date-time) false Filter by reports that have swag awarded after the date specified.
filter[swag_awarded_at__lt] query any(date-time) false Filter by reports that have swag awarded before the date specified.
filter[swag_awarded_at__null] query boolean false Filter by reports that have swag awarded or not, depending on the value of this parameter.
filter[last_reporter_activity_at__gt] query any(date-time) false Filter by reports that received an update from the reporter after the date specified.
filter[last_reporter_activity_at__lt] query any(date-time) false Filter by reports that received an update from the reporter before the date specified.
filter[first_program_activity_at__gt] query any(date-time) false Filter by reports that received the first update from the program after the date specified.
filter[first_program_activity_at__lt] query any(date-time) false Filter by reports that received the first update from the program before the date specified.
filter[first_program_activity_at__null] query boolean false Filter by reports where the reporter received an update.
filter[last_program_activity_at__gt] query any(date-time) false Filter by reports that received an update from the program after the date specified.
filter[last_program_activity_at__lt] query any(date-time) false Filter by reports that received an update from the program before the date specified.
filter[last_activity_at__gt] query any(date-time) false Filter by reports that received an update after the date specified.
filter[last_activity_at__lt] query any(date-time) false Filter by reports that received an update before the date specified.
filter[last_public_activity_at__gt] query any(date-time) false Filter by reports that received a public update after the date specified.
filter[last_public_activity_at__lt] query any(date-time) false Filter by reports that received a public update after the date specified.
filter[keyword] query string false Filter reports by title and keywords.
filter[custom_fields][] query array[object] false Filter reports by a Custom Field Label and Value.
sort query any false The attributes and order to sort the reports on.
page[number] query any false The page to retrieve from.
page[size] query any false The number of objects per page (currently limited from 1 to 100).

Detailed descriptions

sort: The attributes and order to sort the reports on.

This parameter may contain multiple attributes that the reports should be sorted on. Sorting is applied in the specified order of attributes. If an attribute should be sorted descending, prepend a hyphen (-).

The following attributes can be used for sorting: reports.swag_awarded_at, reports.bounty_awarded_at, reports.last_reporter_activity_at, reports.first_program_activity_at, reports.last_program_activity_at, reports.triaged_at, reports.created_at, reports.closed_at, reports.last_public_activity_at, reports.last_activity_at, and reports.disclosed_at.

Enumerated Values

Parameter Value
filter[state][] new
filter[state][] triaged
filter[state][] needs-more-info
filter[state][] resolved
filter[state][] not-applicable
filter[state][] informative
filter[state][] duplicate
filter[state][] spam
filter[severity][] none
filter[severity][] low
filter[severity][] medium
filter[severity][] high
filter[severity][] critical

Create Report

Code samples

# You can also use wget
curl "https://api.hackerone.com/v1/reports" \
  -X POST \
  -u "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json' \
  -d @- <<EOD
{
  "data": {
    "type": "report",
    "attributes": {
      "team_handle": "string",
      "title": "string",
      "vulnerability_information": "string",
      "impact": "string",
      "severity_rating": "none",
      "weakness_id": 0,
      "structured_scope_id": 0,
      "source": "string"
    }
  }
}
EOD

import requests
headers = {
  'Content-Type': 'application/json',
  'Accept': 'application/json'
}

data = {
  "data": {
    "type": "report",
    "attributes": {
      "team_handle": "string",
      "title": "string",
      "vulnerability_information": "string",
      "impact": "string",
      "severity_rating": "none",
      "weakness_id": 0,
      "structured_scope_id": 0,
      "source": "string"
    }
  }
}

r = requests.post(
  'https://api.hackerone.com/v1/reports',
  auth=('api_example_company', 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ='),
  json = data,
  headers = headers
)

print(r.json())

require 'rest-client'
require 'json'

headers = {
  'Content-Type' => 'application/json',
  'Accept' => 'application/json'
}

data = {
  "data": {
    "type": "report",
    "attributes": {
      "team_handle": "string",
      "title": "string",
      "vulnerability_information": "string",
      "impact": "string",
      "severity_rating": "none",
      "weakness_id": 0,
      "structured_scope_id": 0,
      "source": "string"
    }
  }
}

result = RestClient::Request.execute(
  method: :post,
  url: 'https://api.hackerone.com/v1/reports',
  password: 'Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=',
  user: 'api_example_company',
  payload: data,
  headers: headers
)
p JSON.parse(result)

URL obj = new URL("https://api.hackerone.com/v1/reports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();

String userCredentials = "api_example_company:Ke+2jinhe5jM87P95aAVOz7L3ZWrtSiERtyOkkh5tEQ=";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);

con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n  \"data\": {\n    \"type\": \"report\",\n    \"attributes\": {\n      \"team_handle\": \"string\",\n      \"title\": \"string\",\n      \"vulnerability_information\": \"string\",\n      \"impact\": \"string\",\n      \"severity_rating\": \"none\",\n      \"weakness_id\": 0,\n      \"structured_scope_id\": 0,\n      \"source\": \"string\"\n    }\n  }\n}";
try(OutputStream os = con.getOutputStream()) {
    byte[] input = jsonInputString.getBytes("utf-8");
    os.write(input, 0, input.length);
}

try(BufferedReader br = new BufferedReader(
  new InputStreamReader(con.getInputStream(), "utf-8"))) {
    StringBuilder response = new StringBuilder();
    String responseLine = null;
    while ((responseLine = br.readLine()) != null) {
        response.append(responseLine.trim());
    }
    System.out.println(response.toString());
}

let inputBody = "{\n  \"data\": {\n    \"type\": \"report\",\n    \"attributes\": {\n      \"team_handle\": \"string\",\n      \"title\": \"string\",\n      \"vulnerability_information\": \"string\",\n      \"impact\": \"string\",\n      \"severity_rating\": \"none\",\n      \"weakness_id\": 0,\n      \"structured_scope_id\": 0,\n      \"source\": \"string\"\n    }\n  }\n}";
let user = 'api_example_company';
let password