Customer Resources
Activities
Get Activity
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/activities/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/activities/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/activities/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/activities/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/activities/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/activities/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
activity found
{
"data": {
"id": "1337",
"type": "activity-comment",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
}
}
GET /activities/{id}
An activity object can be fetched by sending a GET request to a unique activity object.
In case the request was successful, the API will respond with an
activity object.
The included activity relationships depend on the type of activity that is returned. See the activity object for possible types and relationships.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the activity. |
Query Activities
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/incremental/activities?handle=string" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/incremental/activities',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
params={
'handle': 'string'
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/incremental/activities',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/incremental/activities?handle=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/incremental/activities?handle=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/incremental/activities", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
programs found
{
"data": [
{
"type": "activity-bug-filed",
"id": "1337",
"attributes": {
"report_id": "99900",
"message": "",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2017-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"type": "user",
"id": "7331",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
],
"meta": {
"max_updated_at": "2017-02-02T04:05:06.000Z"
},
"links": {
"self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
"next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
}
}
GET /incremental/activities
This endpoint allows you to fetch all activities of your program incrementally by time.
This endpoint is used to:
- Detect a new report or a new activity on a report using a single endpoint.
- Be able to take actions on reports based on user activity. For example, automatically assigning a report after triaging.
- Monitor activities on a program.
The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.
Note: The request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| handle | query | string | true | The HackerOne handle of the program with activities you wish to retrieve. |
| updated_at_after | query | string | false | A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. |
| sort | query | any | false | The attributes to sort the activities on. |
| order | query | any | false | The direction to sort the activities on, by default desc. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Detailed descriptions
sort: The attributes to sort the activities on.
This parameter may contain multiple attributes that the activities should be sorted on. Sorting is applied in the specified order of attributes, by default descending.
The following attributes can be used for sorting: report_id, created_at, updated_at.
order: The direction to sort the activities on, by default desc.
The following attributes can be used for sorting: asc (ascending), desc (descending).
Analytics
Get Analytics Data (Preview)
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/analytics',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
params={
'key': 'string', 'interval': 'string', 'start_at': 'string', 'end_at': 'string'
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/analytics',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/analytics", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
data found with valid params
[
{
"keys": [
"report_count",
"interval"
],
"values": [
[
"10",
"2022-01-01 00:00:00 UTC"
],
[
"27",
"2022-04-01 00:00:00 UTC"
],
[
"35",
"2022-07-01 00:00:00 UTC"
]
]
}
]
GET /analytics
This endpoint returns data for a specified key
corresponding to a predefined analytics query. Values for key
are derived from the names of charts on these dashboards:
Submission and Bounty Trends
- main-metrics
- rewards-by-asset
- rewards-by-severity
- rewards-by-weakness
- rewards-metrics
- rewards
- submissions-by-asset
- submissions-by-number-of-collaborators
- submissions-by-severity
- submissions-by-weakness
- submissions
- top-weaknesses-by-submission-count
Hacker Engagement
- active-hackers-valid-reports
- active-hackers
- hacker-participation
- invitation-funnel
- retention-valid-reports
- top-hackers-severity
- top-hackers-total-bounties
- top-hackers-valid-submissions
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| key | query | string | true | Filter by the query key you want to fetch data for |
| interval | query | string | true | The interval to use for the input date range. Valid intervals are month, quarter, or year |
| start_at | query | string | true | The start date of the query as a string, inclusive. Format YYYY-MM-DD |
| end_at | query | string | true | The end date of the query as a string, exclusive. Format YYYY-MM-DD |
| team_id | query | string | false | Filter by a team/program ID. If no team_id is provided, then data will be for all teams/programs in the organization |
| organization_id | query | string | false | Filter by an organization ID |
Credentials
Get Credentials
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/credentials',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
params={
'program_id': '0', 'structured_scope_id': '0'
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/credentials',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/credentials", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
data found with valid params
{
"data": [
{
"id": "1",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "d282032e02b3d1d956ae1a9dea945535"
}
},
"revoked": false,
"account_details": "test_account_details"
}
},
{
"id": "2",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "28cf5ecddb0d781a06beed30f69a5afe"
}
},
"revoked": false,
"account_details": "test_account_details"
}
},
{
"id": "3",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "643c17a23d2fb7f5dd3e17e94cb47d64"
}
},
"revoked": false,
"account_details": "test_account_details"
}
}
],
"links": {}
}
GET /credentials
Credentials can be fetched for a structured scope by sending a GET request to the credentials endpoint. When the request is successful, the API will respond with paginated credentials objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | query | integer | true | The ID of the program. You can find the ID by fetching your programs. |
| structured_scope_id | query | integer | true | The ID of the structured scope. You can find the structured scope ID by fetching your programs structured scopes. |
| state | query | string | false | An optional state to filter your credentials. It can be revoked, available or claimed |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Create a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"structured_scope_id": 0,
"data": {
"type": "credential",
"attributes": {
"credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
"assignee": "hacker_username"
}
},
"batch_id": "string"
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"structured_scope_id": 0,
"data": {
"type": "credential",
"attributes": {
"credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
"assignee": "hacker_username"
}
},
"batch_id": "string"
}
r = requests.post(
'https://api.hackerone.com/v1/credentials',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"structured_scope_id": 0,
"data": {
"type": "credential",
"attributes": {
"credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
"assignee": "hacker_username"
}
},
"batch_id": "string"
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/credentials',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n \"assignee\": \"hacker_username\"\n }\n },\n \"batch_id\": \"string\"\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n \"assignee\": \"hacker_username\"\n }\n },\n \"batch_id\": \"string\"\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n \"assignee\": \"hacker_username\"\n }\n },\n \"batch_id\": \"string\"\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/credentials", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential created
{
"data": {
"id": "<id>",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "test"
}
},
"revoked": false,
"assignee_id": "<id>",
"assignee_username": "john_doe_1234"
}
}
}
POST /credentials
This API endpoint can be used to create new credential. When the API call is successful,
a credential object will be returned.
The IDs of a program's structured scopes can be retrieved from
programs/{id}/structured_scopes endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| structured_scope_id | body | integer | true | The ID of the structured scope to which the credential will belong |
| data | body | object | true | The information to create a credential. |
| » type | body | string | true | credential |
| » attributes | body | object | true | none |
| »» credentials | body | string | true | A JSON-encoded hash of credentials that will eventually be provided to the hacker |
| »» assignee | body | string | false | If provided, the credential will be assigned to the specified user |
| batch_id | body | string | false | If provided, the batch will be stored on the credential |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | credential |
Update a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "credential",
"attributes": {
"credentials": "string",
"recycle": false
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "credential",
"attributes": {
"credentials": "string",
"recycle": false
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/credentials/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "credential",
"attributes": {
"credentials": "string",
"recycle": false
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/credentials/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"string\",\n \"recycle\": false\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"string\",\n \"recycle\": false\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"string\",\n \"recycle\": false\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential updated
{
"data": {
"id": "<id>",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "test"
}
},
"revoked": false,
"assignee_id": "<id>",
"assignee_username": "john_doe_1234"
}
}
}
PUT /credentials/{id}
This API endpoint can be used to update an existing credential. When the API call is successful, a credential object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the credential. |
| data | body | object | true | The information to update a credential. |
| » type | body | string | true | credential |
| » attributes | body | object | true | none |
| »» credentials | body | string | true | If provided, a JSON-encoded hash of credentials that will eventually be provided to the hacker |
| »» recycle | body | boolean | false | If provided, the assignee will be removed |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | credential |
Assign a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/assign" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"username": "string"
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"username": "string"
}
r = requests.put(
'https://api.hackerone.com/v1/credentials/{id}/assign',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"username": "string"
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/credentials/{id}/assign',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/assign");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"username\": \"string\"\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"username\": \"string\"\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials/{id}/assign',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"username\": \"string\"\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}/assign", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential assigned
{
"data": {
"id": "<id>",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "test"
}
},
"revoked": false,
"assignee_id": "<id>",
"assignee_username": "john_doe_1234"
}
}
}
PUT /credentials/{id}/assign
This API endpoint can be used to assign an existing credential. When the API call is successful, a credential object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the credential. |
| username | body | string | true | The username of the user to be assigned the credential. |
Delete a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/credentials/{id}/',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/credentials/{id}/',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials/{id}/',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/credentials/{id}/", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Credential successfully removed
{
"data": {
"success": true,
"message": "Credential successfully removed"
}
}
DELETE /credentials/{id}/
This API endpoint can be used to delete an existing credential. When the API call is successful, a success message will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the credential. |
Revoke a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/revoke" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.put(
'https://api.hackerone.com/v1/credentials/{id}/revoke',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/credentials/{id}/revoke',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/revoke");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials/{id}/revoke',
{
method: 'PUT',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}/revoke", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential revoked
{
"data": {
"id": "<id>",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "test"
}
},
"revoked": true,
"assignee_id": "<id>",
"assignee_username": "john_doe_1234"
}
}
}
PUT /credentials/{id}/revoke
This API endpoint can be used to revoke an existing credential. When the API call is successful, a credential object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the credential. |
Get Credential Inquiry Responses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
data found with valid params
{
"data": [
{
"id": "1337",
"type": "credential_inquiry_response",
"attributes": {
"details": "this is a credential inquiry response",
"created_at": "2017-01-01T00:00:00.000Z",
"user": {
"id": "1",
"username": "user1"
}
}
},
{
"id": "1339",
"type": "credential_inquiry_response",
"attributes": {
"details": "this is a credential inquiry response",
"created_at": "2017-01-01T00:00:00.000Z",
"user": {
"id": "2",
"username": "user2"
}
}
}
],
"links": {}
}
GET /programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses
Credential inquiry responses can be fetched by sending a GET request to the credential inquiry responses endpoint. When the request is successful, the API will respond with paginated credential inquiry objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| credential_inquiry_id | path | integer | true | The ID of the credential inquiry. You can find the credential inquiry ID by fetching your credential inquiries. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Delete Credential Inquiry Response
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Credential Inquiry Response successfully removed
{
"data": {
"success": true,
"message": "Credential Inquiry Response successfully removed"
}
}
DELETE /programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}
This API endpoint can be used to delete an existing credential inquiry response. When the API call is successful, a success message will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| credential_inquiry_id | path | integer | true | The ID of the credential inquiry. You can find the credential inquiry ID by fetching your credential inquiries. |
| id | path | integer | true | The ID of the credential inquiry response. |
Create a Credential Inquiry
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/credential_inquiries" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"structured_scope_id": 0,
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"structured_scope_id": 0,
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"structured_scope_id": 0,
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/credential_inquiries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/credential_inquiries", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential_inquiry created
{
"data": {
"id": "<id>",
"type": "credential_inquiry",
"attributes": {
"description": "this is a credential inquiry"
}
}
}
POST /programs/{id}/credential_inquiries
This API endpoint can be used to create new credential inquiry. When the API call is successful,
a credential_inquiry object will be returned.
The IDs of a program's structured scopes can be retrieved from
programs/{id}/structured_scopes endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| structured_scope_id | body | integer | true | The ID of the structured scope to which the credential will belong |
| data | body | object | true | The information to be requested from the hacker |
| » type | body | string | false | none |
| » attributes | body | object | false | none |
| »» description | body | string | true | A description of the information required from the hackers to create credentials |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | credential_inquiry |
Get Credential Inquiries
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/credential_inquiries" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/credential_inquiries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/credential_inquiries", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
data found with valid params
{
"data": [
{
"id": "<id>",
"type": "credential_inquiry",
"attributes": {
"description": "this is a credential inquiry"
}
}
],
"links": {}
}
GET /programs/{id}/credential_inquiries
Credential inquiries can be fetched by sending a GET request to the credential inquiries endpoint. When the request is successful, the API will respond with paginated credential inquiry objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Update Credential Inquiry
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential inquiry updated
{
"data": {
"id": "<id>",
"type": "credential_inquiry",
"attributes": {
"description": "this is a credential inquiry"
}
}
}
PUT /programs/{program_id}/credential_inquiries/{id}
This endpoint can be used to update a credential inquiry of a program. When the API request is successful, a credential inquiry object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the credential inquiry. |
| data | body | object | true | The information to be requested from the hacker |
| » type | body | string | false | none |
| » attributes | body | object | false | none |
| »» description | body | string | true | A description of the information required from the hackers to create credentials |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | credential_inquiry |
Delete Credential Inquiry
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Credential Inquiry successfully removed
{
"data": {
"success": true,
"message": "Credential Inquiry successfully removed"
}
}
DELETE /programs/{program_id}/credential_inquiries/{id}
This API endpoint can be used to delete an existing credential inquiry. When the API call is successful, a success message will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the credential inquiry. |
Organizations
Get Your Organizations
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/me/organizations" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/me/organizations',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/me/organizations',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/me/organizations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/me/organizations',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/organizations", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organizations found
{
"data": [
{
"id": "1",
"type": "organization",
"attributes": {
"handle": "security",
"created_at": "2022-09-07T08:00:00.000Z",
"updated_at": "2022-09-07T08:00:00.000Z"
}
}
],
"links": {}
}
GET /me/organizations
This API endpoint allows you to query the organization objects that you
are a member of.
The groups and members relationships are not included in the response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get All Eligibility Settings
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization eligibility settings found
{
"data": [
{
"id": "1",
"type": "eligibility-setting",
"attributes": {
"allowed_domains": [
"hackerone.com"
],
"allowed_domains_enabled": true,
"name": "Organization Eligibility Settings",
"organization_id": "1",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
]
}
GET /organizations/{organization_id}/eligibility_settings
This API endpoint can be used to list all eligibility settings of an organization. When the request is
successful, the API will respond with paginated
eligibility-setting.
Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your
organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Eligibility Setting
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
eligibility setting successfully fetched from organization
{
"data": {
"id": "1",
"type": "eligibility-setting",
"attributes": {
"allowed_domains": [
"hackerone.com"
],
"allowed_domains_enabled": true,
"name": "Organization Eligibility Settings",
"organization_id": "1",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
}
GET /organizations/{organization_id}/eligibility_settings/{id}
This API endpoint can be used to get an eligibility_setting of an organization. When the request is
successful, the API will respond with
eligibility-setting object.
Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your
organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the eligibility setting. |
Get All Inboxes
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/inboxes" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/inboxes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/inboxes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/inboxes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/inboxes',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/inboxes", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization inboxes found
{
"data": [
{
"id": "<id>",
"type": "inbox",
"attributes": {
"name": "Inbox 1"
}
},
{
"id": "<id>",
"type": "inbox",
"attributes": {
"name": "Custom Inbox 2"
}
}
],
"links": {}
}
GET /organizations/{organization_id}/inboxes
This API endpoint can be used to list all inboxes of an organization. When the request is
successful, the API will respond with paginated
inbox objects.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Pending Invitations
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization member groups found
{
"data": [
{
"type": "invitation-organization-member",
"id": "1",
"attributes": {
"email": "example@hackerone.com",
"show_email": true,
"invited_by_id": "2",
"recipient_id": "5",
"invitation_data": {
"notify": true,
"organization_admin": true,
"organization_member_group_ids": []
},
"expires_at": "2016-02-02T04:05:06.000Z",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
]
}
GET /organizations/{organization_id}/pending_invitations
This API endpoint can be used to list all open invitations of an organization. When the request is
successful, the API will respond with paginated
invitation-organization-member objects.
Required permissions: Group Manager. You can manage the permissions of your API users through your
organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Create An Invitation
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/invitations" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "invitation-organization-member",
"attributes": {
"email": "string",
"organization_member_group_ids": [],
"organization_admin": true,
"notify": true
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "invitation-organization-member",
"attributes": {
"email": "string",
"organization_member_group_ids": [],
"organization_admin": true,
"notify": true
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "invitation-organization-member",
"attributes": {
"email": "string",
"organization_member_group_ids": [],
"organization_admin": true,
"notify": true
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/invitations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"invitation-organization-member\",\n \"attributes\": {\n \"email\": \"string\",\n \"organization_member_group_ids\": [],\n \"organization_admin\": true,\n \"notify\": true\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"invitation-organization-member\",\n \"attributes\": {\n \"email\": \"string\",\n \"organization_member_group_ids\": [],\n \"organization_admin\": true,\n \"notify\": true\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"invitation-organization-member\",\n \"attributes\": {\n \"email\": \"string\",\n \"organization_member_group_ids\": [],\n \"organization_admin\": true,\n \"notify\": true\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/invitations", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
invitation created
{
"data": {
"type": "invitation-organization-member",
"id": "1",
"attributes": {
"email": "example@hackerone.com",
"username": null,
"invited_by_id": "2",
"recipient_id": null,
"invitation_data": {
"notify": true,
"organization_admin": true,
"organization_member_group_ids": []
},
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"expires_at": "2016-02-02T04:05:06.000Z"
}
}
}
POST /organizations/{organization_id}/invitations
This API endpoint can be used to invite a recipient to an organization using their email address.
This endpoint can trigger notifications.
When the request is successful, the API will respond with an
invitation-organization-member object.
Required permissions: User Manager. You can manage the permissions of your API users through your
organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| data | body | object | true | The information to create the organization member invitation. |
| » type | body | string | false | none |
| » attributes | body | object | true | none |
| »» email | body | string | true | The invitee email. It must respect the eligibility settings of the groups and the organization. |
| »» organization_member_group_ids | body | array | false | The organization groups IDs where the user should be added. |
| »» organization_admin | body | boolean | false | Sets the invitee as an organization admin. |
| »» notify | body | boolean | false | Activates organization notifications for the invitee. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | invitation-organization-member |
Get Group
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization member group found
{
"id": "11",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "2",
"eligibility_setting_id": "8",
"permissions": [
"read_only_member"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
},
"relationships": {
"organization_members": {
"data": [
{
"id": "45",
"type": "organization-member",
"attributes": {
"organization_id": "2",
"user_id": "22",
"email": "example@hackerone.com",
"organization_admin": true,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"last_sign_in_at": "2023-11-24T21:24:31.102Z"
}
}
]
},
"programs": {
"data": []
}
}
}
GET /organizations/{organization_id}/groups/{id}
This API endpoint can be used to get a group of an organization. When the request is
successful, the API will respond with
organization-member-group object.
Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the group. |
Update Group
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"eligibility_setting_id": 0,
"permissions": [
"string"
]
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
}
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"eligibility_setting_id": 0,
"permissions": [
"string"
]
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
}
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"eligibility_setting_id": 0,
"permissions": [
"string"
]
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
}
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"eligibility_setting_id\": 0,\n \"permissions\": [\n \"string\"\n ]\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n }\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"eligibility_setting_id\": 0,\n \"permissions\": [\n \"string\"\n ]\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n }\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"eligibility_setting_id\": 0,\n \"permissions\": [\n \"string\"\n ]\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n }\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization member group updated
{
"id": "11",
"type": "organization-member-group",
"attributes": {
"name": "Standard3",
"organization_id": "2",
"eligibility_setting_id": "8",
"permissions": [
"read_only_member",
"report_analyst"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
},
"relationships": {
"organization_members": {
"data": [
{
"id": "45",
"type": "organization-member",
"attributes": {
"organization_id": "2",
"user_id": "22",
"email": "example@hackerone.com",
"organization_admin": true,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"last_sign_in_at": "2023-11-24T21:24:31.102Z"
}
}
]
},
"programs": {
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "user-management-api",
"created_at": "2023-02-06T16:10:06.000Z",
"updated_at": "2023-02-07T10:31:11.000Z"
}
}
]
}
}
}
PUT /organizations/{organization_id}/groups/{id}
This endpoint can be used to update an organization member group. When the API request is successful, an organization member group object will be returned.
It is possible to update members and programs users have access to via organization_members and programs relationships.
Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the organization member group. |
| data | body | object | true | The information to update an organization member. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» name | body | string | false | The name of the organization member group. |
| »» eligibility_setting_id | body | integer | false | The ID of the eligibility setting. |
| »» permissions | body | [string] | false | The permissions added to the new organization group. Possible values are: asset_inventory_manager, asset_inventory_viewer, group_manager, program_admin, read_only_member, report_analyst, report_reward_manager and user_manager. |
| » relationships | body | object | false | none |
| »» organization_members | body | object | false | A list of members for the organization member group. |
| »»» data | body | [any] | true | none |
| »» programs | body | object | false | A list of programs for the organization member group. |
| »»» data | body | [any] | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | organization-member-group |
Get All Groups
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/groups", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization member groups found
{
"data": [
{
"id": "11",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "2",
"eligibility_setting_id": "8",
"permissions": [
"read_only_member"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
}
}
],
"links": {}
}
GET /organizations/{organization_id}/groups
This API endpoint can be used to list all groups of an organization. When the request is
successful, the API will respond with paginated
organization-member-group objects.
Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Create Group
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"permissions": [],
"eligibility_setting_id": 0
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
}
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"permissions": [],
"eligibility_setting_id": 0
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
}
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"permissions": [],
"eligibility_setting_id": 0
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
}
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"permissions\": [],\n \"eligibility_setting_id\": 0\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n }\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"permissions\": [],\n \"eligibility_setting_id\": 0\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n }\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"permissions\": [],\n \"eligibility_setting_id\": 0\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n }\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/groups", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization group created
{
"id": "1",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "2",
"eligibility_setting_id": "8",
"permissions": [
"read_only_member"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
},
"relationships": {
"organization_members": {
"data": [
{
"id": "45",
"type": "organization-member",
"attributes": {
"organization_id": "2",
"user_id": "22",
"email": "example@hackerone.com",
"organization_admin": true,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"last_sign_in_at": "2023-11-24T21:24:31.102Z"
}
}
]
}
}
}
POST /organizations/{organization_id}/groups
This API endpoint can be used to create a new organization group. When the request is successful the API will
respond with an organization group object.
It is possible to add users to the new organization group by including a list of organization members as
relationships. A list of organization members can be obtained at organizations/{organization_id}/members
It is possible to add programs to the new organization group by including a list of programs as relationships.
Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| data | body | object | true | The information to create the organization group. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» name | body | string | true | The name of the new organization group. |
| »» permissions | body | array | true | The permissions added to the new organization group. Possible values are: asset_inventory_manager, asset_inventory_viewer, group_manager, program_admin, read_only_member, report_analyst, report_reward_manager and user_manager. |
| »» eligibility_setting_id | body | integer | false | The id of the eligibility settings. |
| » relationships | body | object | false | none |
| »» organization_members | body | object | false | A list of members for the organization member group. |
| »»» data | body | [any] | true | none |
| »» programs | body | object | false | A list of programs for the organization member group. |
| »»» data | body | [any] | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | organization-member-group |
Get All Members
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/members',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/members", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization members found
{
"data": [
{
"id": "1",
"type": "organization-member",
"attributes": {
"organization_id": "3",
"user_id": "5",
"email": "example@hackerone.com",
"organization_admin": true,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"last_sign_in_at": "2023-11-24T21:24:31.102Z"
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": "2",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "3",
"eligibility_setting_id": "4",
"permissions": [
"read_only_member"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
}
}
]
}
}
}
],
"links": {}
}
GET /organizations/{organization_id}/members
This API endpoint can be used to list all members of an organization. When the request is
successful, the API will respond with paginated organization member objects.
Required permissions: User Manager or Groups Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Member
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
member successfully fetched from organization
{
"data": {
"id": "1",
"type": "organization-member",
"attributes": {
"organization_id": "3",
"user_id": "5",
"email": "example@hackerone.com",
"organization_admin": true,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"last_sign_in_at": "2023-11-24T21:24:31.102Z"
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": "2",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "3",
"eligibility_setting_id": "4",
"permissions": [
"read_only_member"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
}
}
]
}
}
}
}
GET /organizations/{organization_id}/members/{id}
This API endpoint can be used to get a member of an organization. When the request is
successful, the API will respond with
organization-member object.
Required permissions: User Manager or Groups Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.
You can get the ID of your organization from me/organizations endpoint.
You can get the IDs of your organization members from get all members endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the member. |
Remove Member
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
member successfully removed from organization
{
"data": {
"success": true,
"message": "Member successfully removed from organization"
}
}
DELETE /organizations/{organization_id}/members/{id}
This API endpoint can be used to delete a member of an organization. When the request is
successful, the API will respond with a successfully message.
Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.
Trying to remove an organization admin with an api token that is not an organization admin will return error 403 Forbidden.
You can get the ID of your organization from me/organizations endpoint.
You can get the IDs of your organization members from get all members endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the member. |
Update Member
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "organization-member",
"attributes": {
"organization_admin": true
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": 0,
"type": "organization-member-group"
}
]
}
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "organization-member",
"attributes": {
"organization_admin": true
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": 0,
"type": "organization-member-group"
}
]
}
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "organization-member",
"attributes": {
"organization_admin": true
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": 0,
"type": "organization-member-group"
}
]
}
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"organization-member\",\n \"attributes\": {\n \"organization_admin\": true\n },\n \"relationships\": {\n \"organization_member_groups\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member-group\"\n }\n ]\n }\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"organization-member\",\n \"attributes\": {\n \"organization_admin\": true\n },\n \"relationships\": {\n \"organization_member_groups\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member-group\"\n }\n ]\n }\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"organization-member\",\n \"attributes\": {\n \"organization_admin\": true\n },\n \"relationships\": {\n \"organization_member_groups\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member-group\"\n }\n ]\n }\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization member updated
{
"data": {
"id": "1",
"type": "organization-member",
"attributes": {
"organization_id": "3",
"user_id": "5",
"email": "example@hackerone.com",
"organization_admin": true,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"last_sign_in_at": "2023-11-24T21:24:31.102Z"
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": "2",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "3",
"eligibility_setting_id": "4",
"permissions": [
"read_only_member"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
}
}
]
}
}
}
}
PUT /organizations/{organization_id}/members/{id}
This endpoint can be used to update an organization member. When the API request is successful, an organization member object will be returned.
It is possible to update groups users have access to via organization_member_groups relationships.
Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the organization member. |
| data | body | object | true | The information to update an organization member. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» organization_admin | body | boolean | false | If the member is an organization admin. |
| » relationships | body | object | false | none |
| »» organization_member_groups | body | object | false | A list of groups for the organization member. |
| »»» data | body | [any] | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | organization-member |
Get All Programs
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/programs" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/programs',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/programs',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/programs',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/programs", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization programs found
{
"data": [
{
"id": "<id>",
"type": "program",
"attributes": {
"handle": "user-management-api",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
},
{
"id": "<id>",
"type": "program",
"attributes": {
"handle": "user-management-api-2",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
],
"links": {}
}
GET /organizations/{organization_id}/programs
This API endpoint can be used to list all programs of an organization. When the request is
successful, the API will respond with paginated
program objects.
Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Programs
Get Your Programs
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/me/programs" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/me/programs',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/me/programs',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/me/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/me/programs',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/programs", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
programs found
{
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2017-01-01T08:00:00.000Z",
"updated_at": "2017-02-17T04:34:15.910Z"
}
}
],
"links": {}
}
GET /me/programs
This API endpoint allows you to query the program objects that you
are a member of.
The groups and members relationships are not included in the response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Allowed Reporter Activities
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
activities found
{
"data": [
{
"type": "activity-program-hacker-joined",
"id": "1337",
"attributes": {
"message": "",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
}
}
],
"links": {}
}
GET /programs/{id}/allowed_reporters/{allowed_reporter_id}/activities
This resource allows you to retrieve a list of activities of a researcher
that belong to your private program.
These activities are "activity-program-hacker-joined", "activity-program-hacker-left" and "activity-invitation-received"
Multiple activities objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated activities objects. Note that, you won't see other relationships and attachments of an activity.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| allowed_reporter_id | path | integer | true | The ID of the allowed reporter. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Allowed Reporter username history
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
allowed reporter found
{
"data": {
"type": "allowed_reporter_username_history",
"attributes": {
"old_usernames": [
"zero-trust",
"zero_trust-the-sequel"
],
"user_id": "42"
}
}
}
GET /programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history
This resource allows you to retrieve a list of old usernames of a researcher
that belong to your private program.
This can be useful for debugging purposes, but HackerOne advises to rely on IDs for cross-referencing data (instead of usernames) The current username is not included in the list.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| allowed_reporter_id | path | integer | true | The ID of the allowed reporter. |
Get Allowed Reporters
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
allowed reporters found
{
"data": [
{
"id": "1337",
"type": "allowed_reporter",
"attributes": {
"username": "awesome-hacker",
"email_alias": "awesome-hacker@wearehackerone.com",
"cleared": true,
"created_at": "2016-02-02T04:05:06.000Z",
"old_usernames": [
"old-awesome-hacker"
]
}
}
],
"links": {}
}
GET /programs/{id}/allowed_reporters
This resource allows you to retrieve a list of all researchers
that belong to your private program.
Multiple allowed reporter objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated allowed reporter objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Audit Log
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/audit_log" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/audit_log',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/audit_log',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/audit_log");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/audit_log',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/audit_log", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Audit logs
{
"data": {
"id": "1",
"type": "audit-log-item",
"attributes": {
"log": "\"@member\" invited \"someone@example.com\".",
"event": "invitations.team_members.create",
"source": "User#1",
"subject": "Invitation#1",
"user_agent": "Chrome/11.0",
"country": "US",
"parameters": "{\"identifier\":\"jobert\"}",
"created_at": "2019-05-15T04:05:06.000Z"
}
}
}
GET /programs/{id}/audit_log
Returns a paginated list of the audit log items of the provided program.
This API endpoint allows a user to view all audit log items that have been created for
a particular program.
Required permissions: Program Management. You can view audit log items and
manage the permissions of your API users through your organization's settings. Insufficient
permissions will result in a 403 Forbidden response.
Note: This feature is currently in beta and has not been enabled for all programs.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Your Programs Balance
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/balance" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/billing/balance',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/billing/balance',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/balance");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/billing/balance',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/balance", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
balance found
{
"data": {
"id": "1337",
"type": "program-balance",
"attributes": {
"balance": "1500.00"
}
}
}
GET /programs/{id}/billing/balance
This API endpoint allows a user to retrieve the current balance for a particular program.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Get Payment Transactions
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/transactions" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/transactions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/billing/transactions',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/transactions", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Payment transactions found
{
"id": 10,
"bounty_award": "1000.00",
"bounty_fee": "200.00",
"activity_date": "2019-09-25T04:22:42.686Z",
"activity_description": "Bounty for report #9",
"debit_or_credit_amount": "-1200.00",
"balance": "-1200.00",
"payment_transaction_type": "payment",
"relationships": {
"payer": {
"data": {
"id": 3,
"type": "user"
},
"attributes": {
"username": "payer-username"
},
"links": {
"self": "http://hackerone.com/payer-username"
}
},
"report": {
"data": {
"id": 9,
"type": "report"
},
"links": {
"self": "http://hackerone.com/reports/9"
}
},
"user": {
"data": {
"id": 1,
"type": "user"
},
"attributes": {
"username": "hacker-username"
},
"links": {
"self": "http://hackerone.com/hacker-username"
}
},
"team": {
"data": {
"id": 2,
"type": "team"
},
"attributes": {
"handle": "hacker-team"
},
"links": {
"self": "http://hackerone.com/hacker-team"
}
}
},
"links": {
"self": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=1",
"next": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=5"
}
}
GET /programs/{id}/billing/transactions
This API endpoint enables a user to retrieve program's list of payment transactions for
the selected month. When the request is successful, the API will respond with paginated
payment transaction objects of the provided program.
If you want to get transactions for an entire year,
you will need to request each month individually.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. If the program has a parent program, the API user should belong to the parent program. Insufficient permissions will result in a 403 Forbidden or a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| month | query | integer | false | The month of the transaction period. The default is set to the current month. |
| year | query | integer | false | The year of the transaction period. The default is set to the current year. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Award Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/bounties" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"recipient_id": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"recipient_id": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/bounties',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"recipient_id": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/bounties',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"recipient_id\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"recipient_id\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/bounties',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"recipient_id\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/bounties", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
bounty awarded
{
"data": {
"id": "1",
"type": "bounty",
"attributes": {
"amount": "100.00",
"bonus_amount": "0.00",
"awarded_amount": "100.00",
"awarded_bonus_amount": "0.00",
"awarded_currency": "USD",
"created_at": "2017-02-14T23:07:24.252Z"
},
"relationships": {
"report": {
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
}
}
},
"invitations": [
{
"id": "10",
"recipient": "hacker@hackerone.com",
"claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
}
]
}
}
}
POST /programs/{id}/bounties
Use this endpoint to award a bounty. When the API call is successful,
a bounty object will be returned.
Required permissions: Reward Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| data | body | object | true | The information required to create a bounty. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» recipient | body | string | false | The email address of the recipient. |
| »» recipient_id | body | string | false | The id of the recipient. |
| »» amount | body | number | true | The bounty amount to be awarded. |
| »» reference | body | string | true | An internal reference attached to the report that makes searching or filtering in the future easy. |
| »» title | body | string | true | The title of the security vulnerability that was reported to you. |
| »» currency | body | string | true | none |
| »» severity_rating | body | severity-ratings | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
Detailed descriptions
»» recipient: The email address of the recipient.
When the email address is provided, an email will be sent to the recipient to claim the bounty. When the email address is not provided, you can use the claim URL in the response to notify the recipient yourself. When the user does not have an account yet with HackerOne, they'll be onboarded before they can claim the reward. Users that already have an account, will benefit from collecting the payout easily through HackerOne and will get additional reputation points to showcase on their HackerOne profile.
»» recipient_id: The id of the recipient.
When the recipient_id is provided, an email will be sent to the recipient to claim the bounty. If both recipient and recipient_id provided then recipient attribute has a higher priority. If non of attributes provided then email won't be sent.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | bounty |
| »» currency | USD |
| »» severity_rating | none |
| »» severity_rating | low |
| »» severity_rating | medium |
| »» severity_rating | high |
| »» severity_rating | critical |
Get Common Responses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/common_responses" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/common_responses',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/common_responses',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/common_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/common_responses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/common_responses", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
reporters found
{
"data": [
{
"id": "108878",
"attributes": {
"title": "Vulnerability Scanner False Positive",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
}
},
{
"id": "108886",
"attributes": {
"title": "X-XSS-Protection",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
}
},
{
"id": "108891",
"attributes": {
"title": "Video Without Content",
"message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
}
}
],
"links": {}
}
GET /programs/{id}/common_responses
Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Upload Policy Attachments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy_attachments" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: multipart/form-data' \
-H 'Accept: application/json' \
-d @- <<EOD
null
EOD
import requests
headers = {
'Content-Type': 'multipart/form-data',
'Accept': 'application/json'
}
data = null
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'multipart/form-data',
'Accept' => 'application/json'
}
data = null
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy_attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "null";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "null";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'multipart/form-data'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/policy_attachments',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"multipart/form-data"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"null"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/policy_attachments", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
attachment uploaded
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
POST /programs/{id}/policy_attachments
Policy attachments can be uploaded by sending a POST request to the program policy
attachments endpoint. When the API call is successful, an attachment
object will be returned.
You can use the attachment ID to display the attachment on your policy page. For example,
if the attachment ID is 1337, then include {F1337} in your policy to display the
attachment.
Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Update Policy
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{id}/policy',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{id}/policy',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/policy',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{id}/policy", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Policy updated
{
"data": {
"id": "12",
"type": "program",
"attributes": {
"handle": "security",
"policy": "...",
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2019-08-26T13:53:24.807Z"
}
}
}
PUT /programs/{id}/policy
Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| data | body | object | true | The information to update the policy of a program. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» policy | body | string | true | The new policy that will be set on the program. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | program-policy |
Get Reporters
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/reporters" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/reporters',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/reporters',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/reporters',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/reporters", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
reporters found
{
"data": [
{
"id": "1337",
"type": "user",
"attributes": {
"username": "awesome-hacker",
"name": "Awesome Hacker",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
],
"links": {}
}
GET /programs/{id}/reporters
This resource allows you to retrieve a list of all users that ever
submitted a report to the program.
Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Structured Scopes
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scopes found
{
"data": [
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
},
{
"id": "58",
"type": "structured-scope",
"attributes": {
"asset_identifier": "www.example.com",
"asset_type": "URL",
"confidentiality_requirement": "low",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2017-02-03T04:05:10.000Z",
"updated_at": "2018-05-02T04:05:10.000Z",
"instruction": "Instruction text",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001002"
}
}
],
"links": {}
}
GET /programs/{id}/structured_scopes
Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scope objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Add Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scope created
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
POST /programs/{id}/structured_scopes
This endpoint can be used to add an asset to a program. When the API request is successful, a structured scope object will be returned. Please refer to our platform documentation to get more information on the different asset types.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| data | body | object | true | The information to create a structured scope. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» asset_identifier | body | string | true | The identifier of the asset. |
| »» asset_type | body | string | true | The type of asset. |
| »» eligible_for_bounty | body | boolean | false | The eligibility of the asset for bounties. |
| »» eligible_for_submission | body | boolean | false | If the asset is eligible for submission. |
| »» instruction | body | string | false | The raw instruction of the asset provided by the program. Markdown is not parsed. |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset. |
| »» max_severity | body | severity-ratings | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | structured-scope |
| »» asset_type | CIDR |
| »» asset_type | URL |
| »» asset_type | APPLE_STORE_APP_ID |
| »» asset_type | TESTFLIGHT |
| »» asset_type | OTHER_IPA |
| »» asset_type | GOOGLE_PLAY_APP_ID |
| »» asset_type | OTHER_APK |
| »» asset_type | WINDOWS_APP_STORE_APP_ID |
| »» asset_type | SOURCE_CODE |
| »» asset_type | DOWNLOADABLE_EXECUTABLES |
| »» asset_type | HARDWARE |
| »» asset_type | OTHER |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | medium |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | medium |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | medium |
| »» availability_requirement | high |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
Update Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scope updated
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
PUT /programs/{program_id}/structured_scopes/{id}
This endpoint can be used to update an asset of a program. When the API request is successful, a structured scope object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the structured scope. |
| data | body | object | true | The information to update a structured scope. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» asset_identifier | body | string | true | The identifier of the asset. |
| »» eligible_for_bounty | body | boolean | false | If the asset is eligible for bounty. |
| »» eligible_for_submission | body | boolean | false | If the asset is eligible for submission. |
| »» instruction | body | string | false | The raw instruction of the asset provided by the program (markdown is not parsed). |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset. |
| »» max_severity | body | severity-ratings | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | structured-scope |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | medium |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | medium |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | medium |
| »» availability_requirement | high |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
Archive Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scope archived
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
DELETE /programs/{program_id}/structured_scopes/{id}
This endpoint can be used to archive an asset of a program. When the API request is successful, a structured scope object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the structured scope. |
Get Awarded Swag
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/swag" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/swag',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/swag',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/swag");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/swag',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/swag", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
swag found
{
"data": [
{
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
},
{
"id": "7",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2019-08-20T03:47:04.163Z"
},
"relationships": {
"user": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "johndoe",
"name": "John Doe",
"disabled": false,
"created_at": "2017-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "John Smith",
"street": "535 Mission Street",
"city": "New York",
"postal_code": "10001",
"state": "NY",
"country": "United States of America",
"created_at": "2017-01-03T07:08:09.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-212-000-0000"
}
}
}
}
}
],
"links": {}
}
GET /programs/{id}/swag
Awarded swag can be fetched by sending a GET request to the swag endpoint. When the request
is successful, the API will respond with paginated swag objects.
Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Mark Swag as Sent
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/swag/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Swag marked as sent
{
"data": {
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
}
PUT /programs/{program_id}/swag/{id}
The status of swag can be updated to "sent" through this endpoint. When the request is
successful, the API will respond with a swag object.
Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. |
| id | path | integer | true | The ID of the swag. |
Get Thanks to Hackers
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/thanks" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/thanks',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/thanks',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/thanks");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/thanks',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/thanks", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
thanks items found
{
"data": [
{
"type": "thanks-item",
"attributes": {
"total_report_count": 1,
"reputation": 7,
"recognized_report_count": 1,
"username": "lorem",
"user_id": "55"
}
},
{
"type": "thanks-item",
"attributes": {
"total_report_count": 1,
"reputation": 22,
"recognized_report_count": 1,
"username": "ipsum",
"user_id": "56"
}
},
{
"type": "thanks-item",
"attributes": {
"total_report_count": 5,
"reputation": 38,
"recognized_report_count": 3,
"username": "adam",
"user_id": "57"
}
}
],
"links": {}
}
GET /programs/{id}/thanks
This endpoint enables you to view a program's thanks to hackers.
A program's thanks items can be fetched by sending a GET request to the thanks endpoint. When the request is successful, the API will respond with paginated thanks items objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Weaknesses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/weaknesses" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/weaknesses',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/weaknesses',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/weaknesses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/weaknesses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/weaknesses", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
weaknesses found
{
"data": [
{
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"created_at": "2016-02-02T04:05:06.000Z",
"external_id": "cwe-352"
}
},
{
"id": "1338",
"type": "weakness",
"attributes": {
"name": "SQL Injection",
"description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
"created_at": "2016-03-02T04:05:06.000Z",
"external_id": "cwe-89"
}
}
],
"links": {}
}
GET /programs/{id}/weaknesses
The Weakness endpoint enables you to retrieve a list of all weaknesses of the program.
Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Program
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
program found
{
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"groups": {
"data": [
{
"id": "2557",
"type": "group",
"attributes": {
"name": "Standard",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"report_management",
"reward_management"
]
}
},