Customer Resources
Activities
Get Activity
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/activities/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/activities/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/activities/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/activities/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/activities/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/activities/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
activity found
{
"data": {
"id": "1337",
"type": "activity-comment",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
}
}
GET /activities/{id}
An activity object can be fetched by sending a GET request to a unique activity object.
In case the request was successful, the API will respond with an
activity object.
The included activity relationships depend on the type of activity that is returned. See the activity object for possible types and relationships.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the activity. |
Query Activities
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/incremental/activities?handle=string" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/incremental/activities',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
params={
'handle': 'string'
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/incremental/activities',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/incremental/activities?handle=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/incremental/activities?handle=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/incremental/activities", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
programs found
{
"data": [
{
"type": "activity-bug-filed",
"id": "1337",
"attributes": {
"report_id": "99900",
"message": "",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2017-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"type": "user",
"id": "7331",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
],
"meta": {
"max_updated_at": "2017-02-02T04:05:06.000Z"
},
"links": {
"self": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1",
"next": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/incremental/activities?handle=acme&page%5Bsize%5D=1&page%5Bnumber%5D=20"
}
}
GET /incremental/activities
This endpoint allows you to fetch all activities of your program incrementally by time.
This endpoint is used to:
- Detect a new report or a new activity on a report using a single endpoint.
- Be able to take actions on reports based on user activity. For example, automatically assigning a report after triaging.
- Monitor activities on a program.
The next section will give an overview of what an Activity object looks like. The sections after that will show the endpoints that have been implemented for this resource.
Note: The request URL path is /incremental/activities. When the request is successful, the API will respond with paginated activity objects ordered by updated date.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| handle | query | string | true | The HackerOne handle of the program with activities you wish to retrieve. |
| report_id | query | integer | false | The ID of the report you wish to retrieve activities for. |
| updated_at_after | query | string | false | A datetime encoded as a string. Used to indicate what cut-off date to use when retrieving activities. When not provided, no filtering is applied and all activities will be retrieved. |
| sort | query | any | false | The attributes to sort the activities on. |
| order | query | any | false | The direction to sort the activities on, by default desc. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Detailed descriptions
sort: The attributes to sort the activities on.
This parameter may contain multiple attributes that the activities should be sorted on. Sorting is applied in the specified order of attributes, by default descending.
The following attributes can be used for sorting: report_id, created_at, updated_at.
order: The direction to sort the activities on, by default desc.
The following attributes can be used for sorting: asc (ascending), desc (descending).
Analytics
Get Analytics Data
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/analytics',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
params={
'key': 'string', 'interval': 'string', 'start_at': 'string', 'end_at': 'string'
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/analytics',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/analytics?key=string&interval=string&start_at=string&end_at=string',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/analytics", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
data found with valid params
[
{
"keys": [
"report_count",
"interval"
],
"values": [
[
"10",
"2022-01-01 00:00:00 UTC"
],
[
"27",
"2022-04-01 00:00:00 UTC"
],
[
"35",
"2022-07-01 00:00:00 UTC"
]
]
}
]
GET /analytics
This endpoint returns data for a specified key
corresponding to a predefined analytics query. Values for key
are derived from the names of charts on these dashboards:
Submissions
- submissions-benchmarks
- submissions-by-asset
- submissions-by-duplicates
- submissions-by-number-of-collaborators
- submissions-by-severity
- submissions-by-weakness
- submissions-prior-year
- submissions
- top-weaknesses-by-submission-count
Rewards
- bounty-awarded
- bounty-by-asset
- bounty-by-severity
- bounty-by-weakness
- rewards-prior-year
Hacker Engagement
- active-hackers-prior-year
- active-hackers
- hacker-participation-prior-year
- hacker-participation
- invitation-funnel
- new-hackers-vs-submissions
- returning-hackers-vs-submissions
- top-hackers-severity
- top-hackers-submissions
- top-hackers-total-bounties
Statistics
- invitations_statistics
- resolution_statistics
- retests_statistics
- reward_statistics
- sla_statistics
- submissions_statistics
- triage_statistics
Response Efficiency
- response_efficiency
- response_efficiency_benchmarks
- response_efficiency_missed_standards
- response_efficiency_missed_target
- response_efficiency_on_target
- response_efficiency_top_metrics
Mediations
- filed_mediations
- mediations_by_party
- mediations_by_state
- mediations_by_type
- open_mediations
- top_requesters
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| key | query | string | true | Filter by the query key you want to fetch data for |
| interval | query | string | true | The interval to use for the input date range. Valid intervals are month, quarter, or year |
| start_at | query | string | true | The start date of the query as a string, inclusive. Format YYYY-MM-DD |
| end_at | query | string | true | The end date of the query as a string, exclusive. Format YYYY-MM-DD |
| team_id | query | string | false | Filter by a team/program ID. If no team_id is provided, then data will be for all teams/programs in the organization |
| organization_id | query | string | false | Filter by an organization ID |
Credentials
Get Credentials
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/credentials',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
params={
'program_id': '0', 'structured_scope_id': '0'
},
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/credentials',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials?program_id=0&structured_scope_id=0',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/credentials", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
data found with valid params
{
"data": [
{
"id": "1",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "d282032e02b3d1d956ae1a9dea945535"
}
},
"revoked": false,
"account_details": "test_account_details"
}
},
{
"id": "2",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "28cf5ecddb0d781a06beed30f69a5afe"
}
},
"revoked": false,
"account_details": "test_account_details"
}
},
{
"id": "3",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "643c17a23d2fb7f5dd3e17e94cb47d64"
}
},
"revoked": false,
"account_details": "test_account_details"
}
}
],
"links": {}
}
GET /credentials
Credentials can be fetched for a structured scope by sending a GET request to the credentials endpoint. When the request is successful, the API will respond with paginated credentials objects.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | query | integer | true | The ID of the program. You can find the ID by fetching your programs. |
| structured_scope_id | query | integer | true | The ID of the structured scope. You can find the structured scope ID by fetching your programs structured scopes. |
| state | query | string | false | An optional state to filter your credentials. It can be revoked, available or claimed |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Create a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"structured_scope_id": 0,
"data": {
"type": "credential",
"attributes": {
"credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
"assignee": "hacker_username"
}
},
"batch_id": "string"
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"structured_scope_id": 0,
"data": {
"type": "credential",
"attributes": {
"credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
"assignee": "hacker_username"
}
},
"batch_id": "string"
}
r = requests.post(
'https://api.hackerone.com/v1/credentials',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"structured_scope_id": 0,
"data": {
"type": "credential",
"attributes": {
"credentials": "{\"username\":\"username1\",\"password\":\"example passowrd\",\"admin_username\":\"admin_user_1\",\"admin_password\":\"admin_pass_1\"}",
"assignee": "hacker_username"
}
},
"batch_id": "string"
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/credentials',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n \"assignee\": \"hacker_username\"\n }\n },\n \"batch_id\": \"string\"\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n \"assignee\": \"hacker_username\"\n }\n },\n \"batch_id\": \"string\"\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"{\\\"username\\\":\\\"username1\\\",\\\"password\\\":\\\"example passowrd\\\",\\\"admin_username\\\":\\\"admin_user_1\\\",\\\"admin_password\\\":\\\"admin_pass_1\\\"}\",\n \"assignee\": \"hacker_username\"\n }\n },\n \"batch_id\": \"string\"\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/credentials", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential created
{
"data": {
"id": "<id>",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "test"
}
},
"revoked": false,
"assignee_id": "<id>",
"assignee_username": "john_doe_1234"
}
}
}
POST /credentials
This API endpoint can be used to create new credential. When the API call is successful,
a credential object will be returned.
The IDs of a program's structured scopes can be retrieved from
programs/{id}/structured_scopes endpoint.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| structured_scope_id | body | integer | true | The ID of the structured scope to which the credential will belong |
| data | body | object | true | The information to create a credential. |
| » type | body | string | true | credential |
| » attributes | body | object | true | none |
| »» credentials | body | string | true | A JSON-encoded hash of credentials that will eventually be provided to the hacker |
| »» assignee | body | string | false | If provided, the credential will be assigned to the specified user |
| batch_id | body | string | false | If provided, the batch will be stored on the credential |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | credential |
Update a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "credential",
"attributes": {
"credentials": "string",
"recycle": false
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "credential",
"attributes": {
"credentials": "string",
"recycle": false
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/credentials/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "credential",
"attributes": {
"credentials": "string",
"recycle": false
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/credentials/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"string\",\n \"recycle\": false\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"string\",\n \"recycle\": false\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"credential\",\n \"attributes\": {\n \"credentials\": \"string\",\n \"recycle\": false\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential updated
{
"data": {
"id": "<id>",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "test"
}
},
"revoked": false,
"assignee_id": "<id>",
"assignee_username": "john_doe_1234"
}
}
}
PUT /credentials/{id}
This API endpoint can be used to update an existing credential. When the API call is successful, a credential object will be returned.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the credential. |
| data | body | object | true | The information to update a credential. |
| » type | body | string | true | credential |
| » attributes | body | object | true | none |
| »» credentials | body | string | true | A JSON-encoded hash of credentials that will eventually be provided to the hacker |
| »» recycle | body | boolean | false | If true, the assignee will be removed. The default is false. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | credential |
Assign a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/assign" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"username": "string"
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"username": "string"
}
r = requests.put(
'https://api.hackerone.com/v1/credentials/{id}/assign',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"username": "string"
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/credentials/{id}/assign',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/assign");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"username\": \"string\"\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"username\": \"string\"\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials/{id}/assign',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"username\": \"string\"\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}/assign", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential assigned
{
"data": {
"id": "<id>",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "test"
}
},
"revoked": false,
"assignee_id": "<id>",
"assignee_username": "john_doe_1234"
}
}
}
PUT /credentials/{id}/assign
This API endpoint can be used to assign an existing credential. When the API call is successful, a credential object will be returned.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the credential. |
| username | body | string | true | The username of the user to be assigned the credential. |
Delete a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/credentials/{id}/',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/credentials/{id}/',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials/{id}/',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/credentials/{id}/", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Credential successfully removed
{
"data": {
"success": true,
"message": "Credential successfully removed"
}
}
DELETE /credentials/{id}/
This API endpoint can be used to delete an existing credential. When the API call is successful, a success message will be returned.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the credential. |
Revoke a Credential
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/credentials/{id}/revoke" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.put(
'https://api.hackerone.com/v1/credentials/{id}/revoke',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/credentials/{id}/revoke',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/credentials/{id}/revoke");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/credentials/{id}/revoke',
{
method: 'PUT',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/credentials/{id}/revoke", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential revoked
{
"data": {
"id": "<id>",
"type": "credential",
"attributes": {
"credentials": {
"table": {
"username": "test",
"password": "test"
}
},
"revoked": true,
"assignee_id": "<id>",
"assignee_username": "john_doe_1234"
}
}
}
PUT /credentials/{id}/revoke
This API endpoint can be used to revoke an existing credential. When the API call is successful, a credential object will be returned.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the credential. |
Get Credential Inquiry Responses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
data found with valid params
{
"data": [
{
"id": "1337",
"type": "credential_inquiry_response",
"attributes": {
"details": "this is a credential inquiry response",
"created_at": "2017-01-01T00:00:00.000Z",
"user": {
"id": "1",
"username": "user1"
}
}
},
{
"id": "1339",
"type": "credential_inquiry_response",
"attributes": {
"details": "this is a credential inquiry response",
"created_at": "2017-01-01T00:00:00.000Z",
"user": {
"id": "2",
"username": "user2"
}
}
}
],
"links": {}
}
GET /programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses
Credential inquiry responses can be fetched by sending a GET request to the credential inquiry responses endpoint. When the request is successful, the API will respond with paginated credential inquiry objects.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| credential_inquiry_id | path | integer | true | The ID of the credential inquiry. You can find the credential inquiry ID by fetching your credential inquiries. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Delete Credential Inquiry Response
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Credential Inquiry Response successfully removed
{
"data": {
"success": true,
"message": "Credential Inquiry Response successfully removed"
}
}
DELETE /programs/{program_id}/credential_inquiries/{credential_inquiry_id}/credential_inquiry_responses/{id}
This API endpoint can be used to delete an existing credential inquiry response. When the API call is successful, a success message will be returned.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| credential_inquiry_id | path | integer | true | The ID of the credential inquiry. You can find the credential inquiry ID by fetching your credential inquiries. |
| id | path | integer | true | The ID of the credential inquiry response. |
Create a Credential Inquiry
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/credential_inquiries" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"structured_scope_id": 0,
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"structured_scope_id": 0,
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"structured_scope_id": 0,
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/credential_inquiries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"structured_scope_id\": 0,\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/credential_inquiries", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential_inquiry created
{
"data": {
"id": "<id>",
"type": "credential_inquiry",
"attributes": {
"description": "this is a credential inquiry"
}
}
}
POST /programs/{id}/credential_inquiries
This API endpoint can be used to create new credential inquiry. When the API call is successful,
a credential_inquiry object will be returned.
The IDs of a program's structured scopes can be retrieved from
programs/{id}/structured_scopes endpoint.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| structured_scope_id | body | integer | true | The ID of the structured scope to which the credential will belong |
| data | body | object | true | The information to be requested from the hacker |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» description | body | string | true | A description of the information required from the hackers to create credentials |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | credential_inquiry |
Get Credential Inquiries
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/credential_inquiries" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/credential_inquiries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/credential_inquiries',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/credential_inquiries", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
data found with valid params
{
"data": [
{
"id": "<id>",
"type": "credential_inquiry",
"attributes": {
"description": "this is a credential inquiry"
}
}
],
"links": {}
}
GET /programs/{id}/credential_inquiries
Credential inquiries can be fetched by sending a GET request to the credential inquiries endpoint. When the request is successful, the API will respond with paginated credential inquiry objects.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Update Credential Inquiry
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "credential_inquiry",
"attributes": {
"description": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"credential_inquiry\",\n \"attributes\": {\n \"description\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
credential inquiry updated
{
"data": {
"id": "<id>",
"type": "credential_inquiry",
"attributes": {
"description": "this is a credential inquiry"
}
}
}
PUT /programs/{program_id}/credential_inquiries/{id}
This endpoint can be used to update a credential inquiry of a program. When the API request is successful, a credential inquiry object will be returned.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the credential inquiry. |
| data | body | object | true | The information to be requested from the hacker |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» description | body | string | true | A description of the information required from the hackers to create credentials |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | credential_inquiry |
Delete Credential Inquiry
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/credential_inquiries/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Credential Inquiry successfully removed
{
"data": {
"success": true,
"message": "Credential Inquiry successfully removed"
}
}
DELETE /programs/{program_id}/credential_inquiries/{id}
This API endpoint can be used to delete an existing credential inquiry. When the API call is successful, a success message will be returned.
Required permissions: Team Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the credential inquiry. |
Send email
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/email" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "email-message",
"attributes": {
"email": "string",
"subject": "string",
"markdown_content": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "email-message",
"attributes": {
"email": "string",
"subject": "string",
"markdown_content": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/email',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "email-message",
"attributes": {
"email": "string",
"subject": "string",
"markdown_content": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/email',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/email");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"email-message\",\n \"attributes\": {\n \"email\": \"string\",\n \"subject\": \"string\",\n \"markdown_content\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"email-message\",\n \"attributes\": {\n \"email\": \"string\",\n \"subject\": \"string\",\n \"markdown_content\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/email',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"email-message\",\n \"attributes\": {\n \"email\": \"string\",\n \"subject\": \"string\",\n \"markdown_content\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/email", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Email successfully sent
{
"data": {
"success": true,
"message": "Email successfully sent"
}
}
POST /email
Send an email containing the defined markdown rendered as HTML.
Required permissions: The recipient must share an organization with the API token, otherwise the email will not be sent. Insufficient permissions will result in a 400 Bad Request response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| data | body | object | true | Attributes that define an email message |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| body | string | true | The email address of the recipient. | |
| »» subject | body | string | true | The subject of the email. |
| »» markdown_content | body | string | true | The body of the email. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | email-message |
Hai
Create Completion (Preview)
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hai/chat/completions" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "completion-request",
"attributes": {
"hai_play_id": 0,
"messages": [
{
"role": "user",
"content": "string"
}
],
"program_handles": [
"string"
],
"report_ids": [
0
],
"cve_ids": [
"string"
],
"cwe_ids": [
"string"
]
}
},
"required": null
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "completion-request",
"attributes": {
"hai_play_id": 0,
"messages": [
{
"role": "user",
"content": "string"
}
],
"program_handles": [
"string"
],
"report_ids": [
0
],
"cve_ids": [
"string"
],
"cwe_ids": [
"string"
]
}
},
"required": null
}
r = requests.post(
'https://api.hackerone.com/v1/hai/chat/completions',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "completion-request",
"attributes": {
"hai_play_id": 0,
"messages": [
{
"role": "user",
"content": "string"
}
],
"program_handles": [
"string"
],
"report_ids": [
0
],
"cve_ids": [
"string"
],
"cwe_ids": [
"string"
]
}
},
"required": null
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/hai/chat/completions',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hai/chat/completions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"completion-request\",\n \"attributes\": {\n \"hai_play_id\": 0,\n \"messages\": [\n {\n \"role\": \"user\",\n \"content\": \"string\"\n }\n ],\n \"program_handles\": [\n \"string\"\n ],\n \"report_ids\": [\n 0\n ],\n \"cve_ids\": [\n \"string\"\n ],\n \"cwe_ids\": [\n \"string\"\n ]\n }\n },\n \"required\": null\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"completion-request\",\n \"attributes\": {\n \"hai_play_id\": 0,\n \"messages\": [\n {\n \"role\": \"user\",\n \"content\": \"string\"\n }\n ],\n \"program_handles\": [\n \"string\"\n ],\n \"report_ids\": [\n 0\n ],\n \"cve_ids\": [\n \"string\"\n ],\n \"cwe_ids\": [\n \"string\"\n ]\n }\n },\n \"required\": null\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hai/chat/completions',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"completion-request\",\n \"attributes\": {\n \"hai_play_id\": 0,\n \"messages\": [\n {\n \"role\": \"user\",\n \"content\": \"string\"\n }\n ],\n \"program_handles\": [\n \"string\"\n ],\n \"report_ids\": [\n 0\n ],\n \"cve_ids\": [\n \"string\"\n ],\n \"cwe_ids\": [\n \"string\"\n ]\n }\n },\n \"required\": null\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/hai/chat/completions", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
completion created
{
"data": [
{
"id": "1",
"type": "hai_chat_completion",
"attributes": {
"state": "created",
"response": "This is a response",
"created_at": "2019-01-01T00:00:00Z"
}
},
{
"id": "1",
"type": "hai_chat_completion",
"attributes": {
"state": "generating",
"response": null,
"created_at": "2020-01-01T00:00:00Z"
}
}
]
}
POST /hai/chat/completions
A POST request to create a completion object.
The feature is available for users whose organizations have enabled Hai.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| data | body | object | true | The main data object containing the completion request details. |
| » type | body | string | false | The type of the request, which should be "completion-request". |
| » attributes | body | object | false | The attributes of the completion request. |
| »» hai_play_id | body | integer | false | The ID of the Hai Play to use for the completion. |
| »» messages | body | [object] | true | An array of message objects that form the conversation context. |
| »»» role | body | string | true | The role of the message sender, e.g., user or assistant. |
| »»» content | body | string | true | The content of the message. |
| »» program_handles | body | [string] | false | List of program handles associated with the completion request. |
| »» report_ids | body | [integer] | false | List of report IDs associated with the completion request. |
| »» cve_ids | body | [string] | false | List of CVE IDs associated with the completion request. |
| »» cwe_ids | body | [string] | false | List of CWE IDs associated with the completion request. |
| required | body | any | false | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | completion-request |
| »»» role | user |
| »»» role | assistant |
Get Completions (Preview)
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/hai/chat/completions/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/hai/chat/completions/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/hai/chat/completions/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/hai/chat/completions/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/hai/chat/completions/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/hai/chat/completions/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
completion found
{
"data": [
{
"id": "1",
"type": "hai_chat_completion",
"attributes": {
"state": "created",
"response": "This is a response",
"created_at": "2019-01-01T00:00:00Z"
}
},
{
"id": "1",
"type": "hai_chat_completion",
"attributes": {
"state": "generating",
"response": null,
"created_at": "2020-01-01T00:00:00Z"
}
}
]
}
GET /hai/chat/completions/{id}
A GET request to retrieve and view a completion object by its ID.
The feature is available for users whose organizations have enabled Hai.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the completion. |
Organizations
Get Your Organizations
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/me/organizations" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/me/organizations',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/me/organizations',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/me/organizations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/me/organizations',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/organizations", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organizations found
{
"data": [
{
"id": "1",
"type": "organization",
"attributes": {
"handle": "security",
"created_at": "2022-09-07T08:00:00.000Z",
"updated_at": "2022-09-07T08:00:00.000Z"
}
}
],
"links": {}
}
GET /me/organizations
This API endpoint allows you to query the organization objects that you
are a member of.
The groups and members relationships are not included in the response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Audit Log
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{id}/audit_log" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{id}/audit_log',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{id}/audit_log',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{id}/audit_log");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{id}/audit_log',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{id}/audit_log", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Audit logs
{
"data": [
{
"id": "2037",
"type": "audit-log-item",
"attributes": {
"log": "\"@jobert\" updated member with role \"member\" from organization \"Yahoo!\".",
"event": "organizations.members.update",
"source": "User#1",
"subject": "Member#123",
"user_agent": "Chrome/133.0.0.0",
"country": "US",
"parameters": {
"previous_role": "viewer",
"new_role": "member"
},
"created_at": "2025-02-25T12:28:07.041Z"
},
"relationships": {
"source_user": {
"id": "7",
"type": "user",
"attributes": {
"username": "jobert",
"name": "Jobert Abma",
"disabled": false,
"created_at": "2025-01-21T20:08:39.887Z",
"profile_picture": {
"62x62": "http://localhost:3000/rails/active_storage/representations/redirect/avatar_jobert_62.png",
"82x82": "http://localhost:3000/rails/active_storage/representations/redirect/avatar_jobert_82.png",
"110x110": "http://localhost:3000/rails/active_storage/representations/redirect/avatar_jobert_110.png",
"260x260": "http://localhost:3000/rails/active_storage/representations/redirect/avatar_jobert_260.png"
}
}
}
}
}
]
}
GET /organizations/{id}/audit_log
Returns a paginated list of the audit log items of the provided organization.
This API endpoint allows a user to view all audit log items that have been created for
a particular organization.
Required permissions: Organization Management. You can view audit log items and
manage the permissions of your API users through your organization's settings. Insufficient
permissions will result in the data being returned as an empty array.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get All Eligibility Settings
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization eligibility settings found
{
"data": [
{
"id": "1",
"type": "eligibility-setting",
"attributes": {
"allowed_domains": [
"hackerone.com"
],
"allowed_domains_enabled": true,
"name": "Organization Eligibility Settings",
"organization_id": "1",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
]
}
GET /organizations/{organization_id}/eligibility_settings
This API endpoint can be used to list all eligibility settings of an organization. When the request is
successful, the API will respond with paginated
eligibility-setting.
Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your
organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Eligibility Setting
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/eligibility_settings/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
eligibility setting successfully fetched from organization
{
"data": {
"id": "1",
"type": "eligibility-setting",
"attributes": {
"allowed_domains": [
"hackerone.com"
],
"allowed_domains_enabled": true,
"name": "Organization Eligibility Settings",
"organization_id": "1",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
}
GET /organizations/{organization_id}/eligibility_settings/{id}
This API endpoint can be used to get an eligibility_setting of an organization. When the request is
successful, the API will respond with
eligibility-setting object.
Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your
organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the eligibility setting. |
Get All Inboxes
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/inboxes" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/inboxes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/inboxes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/inboxes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/inboxes',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/inboxes", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization inboxes found
{
"data": [
{
"id": "<id>",
"type": "inbox",
"attributes": {
"name": "Inbox 1"
}
},
{
"id": "<id>",
"type": "inbox",
"attributes": {
"name": "Custom Inbox 2"
}
}
],
"links": {}
}
GET /organizations/{organization_id}/inboxes
This API endpoint can be used to list all inboxes of an organization. When the request is
successful, the API will respond with paginated
inbox objects.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Pending Invitations
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/pending_invitations", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
invitation found
{
"data": [
{
"type": "invitation-organization-member",
"id": "1",
"attributes": {
"email": "example@hackerone.com",
"username": null,
"invited_by_id": "2",
"recipient_id": null,
"invitation_data": {
"notify": true,
"organization_admin": true,
"organization_member_group_ids": []
},
"expires_at": "2016-02-02T04:05:06.000Z",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
]
}
GET /organizations/{organization_id}/pending_invitations
This API endpoint can be used to list all open invitations of an organization. When the request is
successful, the API will respond with paginated
invitation-organization-member objects.
Required permissions: User Manager. You can manage the permissions of your API users through your
organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Create An Invitation
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/invitations" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "invitation-organization-member",
"attributes": {
"email": "string",
"organization_member_group_ids": [],
"organization_admin": true,
"notify": true
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "invitation-organization-member",
"attributes": {
"email": "string",
"organization_member_group_ids": [],
"organization_admin": true,
"notify": true
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "invitation-organization-member",
"attributes": {
"email": "string",
"organization_member_group_ids": [],
"organization_admin": true,
"notify": true
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/invitations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"invitation-organization-member\",\n \"attributes\": {\n \"email\": \"string\",\n \"organization_member_group_ids\": [],\n \"organization_admin\": true,\n \"notify\": true\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"invitation-organization-member\",\n \"attributes\": {\n \"email\": \"string\",\n \"organization_member_group_ids\": [],\n \"organization_admin\": true,\n \"notify\": true\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/invitations',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"invitation-organization-member\",\n \"attributes\": {\n \"email\": \"string\",\n \"organization_member_group_ids\": [],\n \"organization_admin\": true,\n \"notify\": true\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/invitations", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
invitation created
{
"data": {
"type": "invitation-organization-member",
"id": "1",
"attributes": {
"email": "example@hackerone.com",
"username": null,
"invited_by_id": "2",
"recipient_id": null,
"invitation_data": {
"notify": true,
"organization_admin": true,
"organization_member_group_ids": []
},
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"expires_at": "2016-02-02T04:05:06.000Z"
}
}
}
POST /organizations/{organization_id}/invitations
This API endpoint can be used to invite a recipient to an organization using their email address.
This endpoint can trigger notifications.
When the request is successful, the API will respond with an
invitation-organization-member object.
Required permissions: User Manager. You can manage the permissions of your API users through your
organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| data | body | object | true | The information to create the organization member invitation. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| body | string | true | The invitee email. It must respect the eligibility settings of the groups and the organization. | |
| »» organization_member_group_ids | body | array | false | The organization groups IDs where the user should be added. |
| »» organization_admin | body | boolean | false | Sets the invitee as an organization admin. |
| »» notify | body | boolean | false | Activates organization notifications for the invitee. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | invitation-organization-member |
Get Group
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization member group found
{
"data": {
"id": "<id>",
"type": "organization-member-group",
"attributes": {
"name": "Standard2",
"organization_id": "<id>",
"eligibility_setting_id": "<id>",
"permissions": [
"read_only_member"
],
"created_at": "<date>",
"updated_at": "<date>",
"migrated_at": null
},
"relationships": {
"organization_members": {
"data": [
{
"id": "<id>",
"type": "organization-member",
"attributes": {
"organization_id": "<id>",
"user_id": "<id>",
"email": "user2@hackerone.com",
"organization_admin": true,
"created_at": "<date>",
"updated_at": "<date>",
"last_sign_in_at": "<date>"
}
}
]
},
"programs": {
"data": [
{
"id": "<id>",
"type": "program",
"attributes": {
"handle": "program",
"created_at": "<date>",
"updated_at": "<date>"
}
}
]
},
"inboxes": {
"data": [
{
"id": "<id>",
"type": "inbox",
"attributes": {
"name": "default inbox for inbox",
"type": "default"
}
}
]
}
}
}
}
GET /organizations/{organization_id}/groups/{id}
This API endpoint can be used to get a group of an organization. When the request is
successful, the API will respond with
organization-member-group object.
Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the group. |
Update Group
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"eligibility_setting_id": 0,
"permissions": [
"string"
]
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
},
"inboxes": {
"data": [
{
"id": 0,
"type": "inbox"
}
]
}
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"eligibility_setting_id": 0,
"permissions": [
"string"
]
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
},
"inboxes": {
"data": [
{
"id": 0,
"type": "inbox"
}
]
}
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"eligibility_setting_id": 0,
"permissions": [
"string"
]
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
},
"inboxes": {
"data": [
{
"id": 0,
"type": "inbox"
}
]
}
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"eligibility_setting_id\": 0,\n \"permissions\": [\n \"string\"\n ]\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n },\n \"inboxes\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"inbox\"\n }\n ]\n }\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"eligibility_setting_id\": 0,\n \"permissions\": [\n \"string\"\n ]\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n },\n \"inboxes\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"inbox\"\n }\n ]\n }\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"eligibility_setting_id\": 0,\n \"permissions\": [\n \"string\"\n ]\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n },\n \"inboxes\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"inbox\"\n }\n ]\n }\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/organizations/{organization_id}/groups/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization member group updated
{
"data": {
"id": "<id>",
"type": "organization-member-group",
"attributes": {
"name": "Standard3",
"organization_id": "<id>",
"eligibility_setting_id": "<id>",
"permissions": [
"report_analyst",
"read_only_member"
],
"created_at": "<date>",
"updated_at": "<date>",
"migrated_at": null
},
"relationships": {
"organization_members": {
"data": [
{
"id": "<id>",
"type": "organization-member",
"attributes": {
"organization_id": "<id>",
"user_id": "<id>",
"email": "user@hackerone.com",
"organization_admin": false,
"created_at": "<date>",
"updated_at": "<date>",
"last_sign_in_at": "<date>"
}
}
]
},
"programs": {
"data": [
{
"id": "<id>",
"type": "program",
"attributes": {
"handle": "user-management-api",
"created_at": "<date>",
"updated_at": "<date>"
}
}
]
},
"inboxes": {
"data": [
{
"id": "<id>",
"type": "inbox",
"attributes": {
"name": "User management api inbox",
"type": "default"
}
}
]
}
}
}
}
PUT /organizations/{organization_id}/groups/{id}
This endpoint can be used to update an organization member group. When the API request is successful, an organization member group object will be returned.
It is possible to update members and programs users have access to via organization_members and programs relationships.
Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the organization member group. |
| data | body | object | true | The information to update an organization member. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» name | body | string | false | The name of the organization member group. |
| »» eligibility_setting_id | body | integer | false | The ID of the eligibility setting. |
| »» permissions | body | [string] | false | The permissions added to the new organization group. Possible values are: asset_inventory_manager, asset_inventory_viewer, group_manager, program_admin, read_only_member, report_analyst, report_reward_manager and user_manager. |
| » relationships | body | object | false | none |
| »» organization_members | body | object | false | A list of members for the organization member group. |
| »»» data | body | [any] | true | none |
| »» programs | body | object | false | A list of programs for the organization member group. |
| »»» data | body | [any] | true | none |
| »» inboxes | body | object | false | A list of inboxes for the organization member group. |
| »»» data | body | [any] | true | none |
Detailed descriptions
»» programs: A list of programs for the organization member group.
Ensure that when adding a program, the related inbox is also added to the group.
You can retrieve all inboxes of an organization through the get all inboxes endpoint.
»» inboxes: A list of inboxes for the organization member group.
Ensure that when adding a non-custom inbox, the related program is also added to the group.
You can retrieve all programs of an organization through the get all programs endpoint.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | organization-member-group |
Get All Groups
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/groups", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization member groups found
{
"data": [
{
"id": "<id>",
"type": "organization-member-group",
"attributes": {
"name": "User managers",
"organization_id": "<id>",
"eligibility_setting_id": null,
"permissions": [
"group_manager"
],
"created_at": "<date>",
"updated_at": "<date>",
"migrated_at": null
}
},
{
"id": "<id>",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "<id>",
"eligibility_setting_id": "<id>",
"permissions": [
"read_only_member"
],
"created_at": "<date>",
"updated_at": "<date>",
"migrated_at": null
}
},
{
"id": "<id>",
"type": "organization-member-group",
"attributes": {
"name": "Standard2",
"organization_id": "<id>",
"eligibility_setting_id": "<id>",
"permissions": [
"read_only_member"
],
"created_at": "<date>",
"updated_at": "<date>",
"migrated_at": null
}
}
],
"links": {}
}
GET /organizations/{organization_id}/groups
This API endpoint can be used to list all groups of an organization. When the request is
successful, the API will respond with paginated
organization-member-group objects.
Required permissions: Group Manager or User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Create Group
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/groups" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"permissions": [],
"eligibility_setting_id": 0
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
},
"inboxes": {
"data": [
{
"id": 0,
"type": "inbox"
}
]
}
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"permissions": [],
"eligibility_setting_id": 0
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
},
"inboxes": {
"data": [
{
"id": 0,
"type": "inbox"
}
]
}
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "organization-member-group",
"attributes": {
"name": "string",
"permissions": [],
"eligibility_setting_id": 0
},
"relationships": {
"organization_members": {
"data": [
{
"id": 0,
"type": "organization-member"
}
]
},
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
},
"inboxes": {
"data": [
{
"id": 0,
"type": "inbox"
}
]
}
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/groups',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/groups");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"permissions\": [],\n \"eligibility_setting_id\": 0\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n },\n \"inboxes\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"inbox\"\n }\n ]\n }\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"permissions\": [],\n \"eligibility_setting_id\": 0\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n },\n \"inboxes\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"inbox\"\n }\n ]\n }\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/groups',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"organization-member-group\",\n \"attributes\": {\n \"name\": \"string\",\n \"permissions\": [],\n \"eligibility_setting_id\": 0\n },\n \"relationships\": {\n \"organization_members\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member\"\n }\n ]\n },\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n },\n \"inboxes\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"inbox\"\n }\n ]\n }\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/groups", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization group created
{
"data": {
"id": "<id>",
"type": "organization-member-group",
"attributes": {
"name": "organization_member_group4",
"organization_id": "<id>",
"eligibility_setting_id": null,
"permissions": [
"read_only_member"
],
"created_at": "<date>",
"updated_at": "<date>",
"migrated_at": null
},
"relationships": {
"organization_members": {
"data": [
{
"id": "<id>",
"type": "organization-member",
"attributes": {
"organization_id": "<id>",
"user_id": "<id>",
"email": "user4@hackerone.com",
"organization_admin": false,
"created_at": "<date>",
"updated_at": "<date>",
"last_sign_in_at": "<date>"
}
}
]
},
"programs": {
"data": [
{
"id": "<id>",
"type": "program",
"attributes": {
"handle": "user-management-api",
"created_at": "<date>",
"updated_at": "<date>"
}
}
]
},
"inboxes": {
"data": [
{
"id": "<id>",
"type": "inbox",
"attributes": {
"name": "User management api inbox",
"type": "default"
}
}
]
}
}
}
}
POST /organizations/{organization_id}/groups
This API endpoint can be used to create a new organization group. When the request is successful the API will
respond with an organization group object.
It is possible to add users to the new organization group by including a list of organization members as
relationships. A list of organization members can be obtained at organizations/{organization_id}/members
It is possible to add programs to the new organization group by including a list of programs as relationships.
Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| data | body | object | true | The information to create the organization group. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» name | body | string | true | The name of the new organization group. |
| »» permissions | body | array | true | The permissions added to the new organization group. Possible values are: asset_inventory_manager, asset_inventory_viewer, group_manager, program_admin, read_only_member, report_analyst, report_reward_manager and user_manager. |
| »» eligibility_setting_id | body | integer | false | The id of the eligibility settings. |
| » relationships | body | object | false | none |
| »» organization_members | body | object | false | A list of members for the organization member group. |
| »»» data | body | [any] | true | none |
| »» programs | body | object | false | A list of programs for the organization member group. |
| »»» data | body | [any] | true | none |
| »» inboxes | body | object | false | A list of inboxes for the organization member group. |
| »»» data | body | [any] | true | none |
Detailed descriptions
»» programs: A list of programs for the organization member group.
Ensure that when adding a program, the related inbox is also added to the group.
You can retrieve all inboxes of an organization through the get all inboxes endpoint.
»» inboxes: A list of inboxes for the organization member group.
Ensure that when adding a non-custom inbox, the related program is also added to the group.
You can retrieve all programs of an organization through the get all programs endpoint.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | organization-member-group |
Get All Members
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/members',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/members", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization members found
{
"data": [
{
"id": "1",
"type": "organization-member",
"attributes": {
"organization_id": "3",
"user_id": "5",
"email": "example@hackerone.com",
"organization_admin": true,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"last_sign_in_at": "2023-11-24T21:24:31.102Z"
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": "2",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "3",
"eligibility_setting_id": "4",
"permissions": [
"read_only_member"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
}
}
]
}
}
}
],
"links": {}
}
GET /organizations/{organization_id}/members
This API endpoint can be used to list all members of an organization. When the request is
successful, the API will respond with paginated organization member objects.
Required permissions: User Manager or Groups Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Member
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
member successfully fetched from organization
{
"data": {
"id": "1",
"type": "organization-member",
"attributes": {
"organization_id": "3",
"user_id": "5",
"email": "example@hackerone.com",
"organization_admin": true,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"last_sign_in_at": "2023-11-24T21:24:31.102Z"
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": "2",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "3",
"eligibility_setting_id": "4",
"permissions": [
"read_only_member"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
}
}
]
}
}
}
}
GET /organizations/{organization_id}/members/{id}
This API endpoint can be used to get a member of an organization. When the request is
successful, the API will respond with
organization-member object.
Required permissions: User Manager or Groups Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.
You can get the ID of your organization from me/organizations endpoint.
You can get the IDs of your organization members from get all members endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the member. |
Remove Member
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
member successfully removed from organization
{
"data": {
"success": true,
"message": "Member successfully removed from organization"
}
}
DELETE /organizations/{organization_id}/members/{id}
This API endpoint can be used to delete a member of an organization. When the request is
successful, the API will respond with a successfully message.
Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.
Trying to remove an organization admin with an api token that is not an organization admin will return error 403 Forbidden.
You can get the ID of your organization from me/organizations endpoint.
You can get the IDs of your organization members from get all members endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the member. |
Update Member
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "organization-member",
"attributes": {
"organization_admin": true
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": 0,
"type": "organization-member-group"
}
]
}
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "organization-member",
"attributes": {
"organization_admin": true
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": 0,
"type": "organization-member-group"
}
]
}
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "organization-member",
"attributes": {
"organization_admin": true
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": 0,
"type": "organization-member-group"
}
]
}
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"organization-member\",\n \"attributes\": {\n \"organization_admin\": true\n },\n \"relationships\": {\n \"organization_member_groups\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member-group\"\n }\n ]\n }\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"organization-member\",\n \"attributes\": {\n \"organization_admin\": true\n },\n \"relationships\": {\n \"organization_member_groups\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member-group\"\n }\n ]\n }\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"organization-member\",\n \"attributes\": {\n \"organization_admin\": true\n },\n \"relationships\": {\n \"organization_member_groups\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"organization-member-group\"\n }\n ]\n }\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/organizations/{organization_id}/members/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization member updated
{
"data": {
"id": "1",
"type": "organization-member",
"attributes": {
"organization_id": "3",
"user_id": "5",
"email": "example@hackerone.com",
"organization_admin": true,
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"last_sign_in_at": "2023-11-24T21:24:31.102Z"
},
"relationships": {
"organization_member_groups": {
"data": [
{
"id": "2",
"type": "organization-member-group",
"attributes": {
"name": "Standard1",
"organization_id": "3",
"eligibility_setting_id": "4",
"permissions": [
"read_only_member"
],
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"migrated_at": null
}
}
]
}
}
}
}
PUT /organizations/{organization_id}/members/{id}
This endpoint can be used to update an organization member. When the API request is successful, an organization member object will be returned.
It is possible to update groups users have access to via organization_member_groups relationships.
Required permissions: User Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 401 Unauthorized response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| id | path | integer | true | The ID of the organization member. |
| data | body | object | true | The information to update an organization member. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» organization_admin | body | boolean | false | If the member is an organization admin. |
| » relationships | body | object | false | none |
| »» organization_member_groups | body | object | false | A list of groups for the organization member. |
| »»» data | body | [any] | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | organization-member |
Get All Programs
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/programs" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/programs',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/programs',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/programs',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/programs", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
organization programs found
{
"data": [
{
"id": "<id>",
"type": "program",
"attributes": {
"handle": "user-management-api",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
},
{
"id": "<id>",
"type": "program",
"attributes": {
"handle": "user-management-api-2",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
],
"links": {}
}
GET /organizations/{organization_id}/programs
This API endpoint can be used to list all programs of an organization. When the request is
successful, the API will respond with paginated
program objects.
Required permissions: Group Manager. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Programs
Get Your Programs
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/me/programs" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/me/programs',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/me/programs',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/me/programs");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/me/programs',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/me/programs", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
programs found
{
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2017-01-01T08:00:00.000Z",
"updated_at": "2017-02-17T04:34:15.910Z"
}
}
],
"links": {}
}
GET /me/programs
This API endpoint allows you to query the program objects that you
are a member of.
The groups and members relationships are not included in the response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Allowed Reporter Activities
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/activities", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
activities found
{
"data": [
{
"type": "activity-program-hacker-joined",
"id": "1337",
"attributes": {
"message": "",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
}
}
],
"links": {}
}
GET /programs/{id}/allowed_reporters/{allowed_reporter_id}/activities
This resource allows you to retrieve a list of activities of a researcher
that belong to your private program.
These activities are "activity-program-hacker-joined", "activity-program-hacker-left" and "activity-invitation-received"
Multiple activities objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated activities objects. Note that, you won't see other relationships and attachments of an activity.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| allowed_reporter_id | path | integer | true | The ID of the allowed reporter. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Allowed Reporter username history
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
allowed reporter found
{
"data": {
"type": "allowed_reporter_username_history",
"attributes": {
"old_usernames": [
"zero-trust",
"zero_trust-the-sequel"
],
"user_id": "42"
}
}
}
GET /programs/{id}/allowed_reporters/{allowed_reporter_id}/username_history
This resource allows you to retrieve a list of old usernames of a researcher
that belong to your private program.
This can be useful for debugging purposes, but HackerOne advises to rely on IDs for cross-referencing data (instead of usernames) The current username is not included in the list.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| allowed_reporter_id | path | integer | true | The ID of the allowed reporter. |
Get Allowed Reporters
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
allowed reporters found
{
"data": [
{
"id": "1337",
"type": "allowed_reporter",
"attributes": {
"username": "awesome-hacker",
"email_alias": "awesome-hacker@wearehackerone.com",
"rules_of_engagement_signed": true,
"identity_verified": true,
"background_checked": true,
"cleared": true,
"citizenship_verified": false,
"residency_verified": true,
"created_at": "2016-02-02T04:05:06.000Z"
}
}
],
"links": {}
}
GET /programs/{id}/allowed_reporters
This resource allows you to retrieve a list of all researchers
that belong to your private program.
Multiple allowed reporter objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated allowed reporter objects.
Required permissions: Program Management. You can view audit log items and
manage the permissions of your API users through your organization's settings. Insufficient
permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Allowed Reporters History
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/allowed_reporters_history" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/allowed_reporters_history',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/allowed_reporters_history',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/allowed_reporters_history");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/allowed_reporters_history',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/allowed_reporters_history", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
allowed reporters history found
{
"data": [
{
"id": "5",
"type": "allowed-reporter-history-entry",
"attributes": {
"created_at": "2025-02-13T20:12:45.624Z",
"invited_at": "2025-01-10T20:12:45.624Z",
"accepted_at": "2025-02-13T20:12:45.624Z",
"left_at": "2025-03-13T20:12:45.624Z",
"removed_at": null
},
"relationships": {
"user": {
"id": "5",
"type": "user",
"attributes": {
"username": "demo-hacker",
"name": "Demo Researcher",
"disabled": false,
"created_at": "2025-02-10T20:10:27.242Z",
"profile_picture": {
"62x62": "/assets/avatars/default-14ffa99f59cd01423c64904352cc130ffcb6a802eadfd11777a54485749e60f2.png",
"82x82": "/assets/avatars/default-14ffa99f59cd01423c64904352cc130ffcb6a802eadfd11777a54485749e60f2.png",
"110x110": "/assets/avatars/default-14ffa99f59cd01423c64904352cc130ffcb6a802eadfd11777a54485749e60f2.png",
"260x260": "/assets/avatars/default-14ffa99f59cd01423c64904352cc130ffcb6a802eadfd11777a54485749e60f2.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
}
}
],
"links": {}
}
GET /programs/{id}/allowed_reporters_history
This resource allows you to retrieve a list of
allowed reporter history entries,
containing all researchers who joined/left your private program.
Required permissions: Program Management. You can view audit log items and
manage the permissions of your API users through your organization's settings. Insufficient
permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
| sort | query | any | false | The attributes to sort the allowed reporters history entries on. |
| order | query | any | false | The direction to sort the allowed reporters history entries on, by default asc. |
Detailed descriptions
sort: The attributes to sort the allowed reporters history entries on.
Sorting is applied based according to the value defined in the order parameter.
The following values can be used for sorting: id, created_at, invited_at, accepted_at, left_at, removed_at.
order: The direction to sort the allowed reporters history entries on, by default asc.
The following values can be used for sorting: asc (ascending), desc (descending).
Enumerated Values
| Parameter | Value |
|---|---|
| sort | id |
| sort | created_at |
| sort | invited_at |
| sort | accepted_at |
| sort | left_at |
| sort | removed_at |
| order | asc |
| order | desc |
Get Audit Log
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/audit_log" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/audit_log',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/audit_log',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/audit_log");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/audit_log',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/audit_log", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Audit logs
{
"data": {
"id": "1",
"type": "audit-log-item",
"attributes": {
"log": "\"@member\" invited \"someone@example.com\".",
"event": "invitations.team_members.create",
"source": "User#1",
"subject": "Invitation#1",
"user_agent": "Chrome/11.0",
"country": "US",
"parameters": "{\"identifier\":\"jobert\"}",
"created_at": "2019-05-15T04:05:06.000Z"
}
}
}
GET /programs/{id}/audit_log
Returns a paginated list of the audit log items of the provided program.
This API endpoint allows a user to view all audit log items that have been created for
a particular program.
Required permissions: Program Management. You can view audit log items and
manage the permissions of your API users through your organization's settings. Insufficient
permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Your Programs Balance
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/balance" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/billing/balance',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/billing/balance',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/balance");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/billing/balance',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/balance", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
balance found
{
"data": {
"id": "1337",
"type": "program-balance",
"attributes": {
"balance": "1500.00"
}
}
}
GET /programs/{id}/billing/balance
This API endpoint allows a user to retrieve the current balance for a particular program.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Get Payment Transactions
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/billing/transactions" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/billing/transactions',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/billing/transactions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/billing/transactions',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/billing/transactions", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Payment transactions found
{
"id": 10,
"bounty_award": "1000.00",
"bounty_fee": "200.00",
"activity_date": "2019-09-25T04:22:42.686Z",
"activity_description": "Bounty for report #9",
"debit_or_credit_amount": "-1200.00",
"balance": "-1200.00",
"payment_transaction_type": "payment",
"relationships": {
"payer": {
"data": {
"id": 3,
"type": "user"
},
"attributes": {
"username": "payer-username"
},
"links": {
"self": "http://hackerone.com/payer-username"
}
},
"report": {
"data": {
"id": 9,
"type": "report"
},
"links": {
"self": "http://hackerone.com/reports/9"
}
},
"user": {
"data": {
"id": 1,
"type": "user"
},
"attributes": {
"username": "hacker-username"
},
"links": {
"self": "http://hackerone.com/hacker-username"
}
},
"team": {
"data": {
"id": 2,
"type": "team"
},
"attributes": {
"handle": "hacker-team"
},
"links": {
"self": "http://hackerone.com/hacker-team"
}
}
},
"links": {
"self": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=1",
"next": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/programs/{id}/billing/transactions?page%5Bnumber%5D=5"
}
}
GET /programs/{id}/billing/transactions
This API endpoint enables a user to retrieve program's list of payment transactions for
the selected month. When the request is successful, the API will respond with paginated
payment transaction objects of the provided program.
If you want to get transactions for an entire year,
you will need to request each month individually.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. If the program has a parent program, the API user should belong to the parent program. Insufficient permissions will result in a 403 Forbidden or a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| month | query | integer | false | The month of the transaction period. The default is set to the current month. |
| year | query | integer | false | The year of the transaction period. The default is set to the current year. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Award Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/bounties" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"recipient_id": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"recipient_id": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/bounties',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "bounty",
"attributes": {
"recipient": "string",
"recipient_id": "string",
"amount": 0,
"reference": "string",
"title": "string",
"currency": "USD",
"severity_rating": "none"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/bounties',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"recipient_id\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"recipient_id\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/bounties',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"bounty\",\n \"attributes\": {\n \"recipient\": \"string\",\n \"recipient_id\": \"string\",\n \"amount\": 0,\n \"reference\": \"string\",\n \"title\": \"string\",\n \"currency\": \"USD\",\n \"severity_rating\": \"none\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/bounties", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
bounty awarded
{
"data": {
"id": "1",
"type": "bounty",
"attributes": {
"amount": "100.00",
"bonus_amount": "0.00",
"awarded_amount": "100.00",
"awarded_bonus_amount": "0.00",
"awarded_currency": "USD",
"created_at": "2017-02-14T23:07:24.252Z"
},
"relationships": {
"report": {
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
}
}
},
"invitations": [
{
"id": "10",
"recipient": "hacker@hackerone.com",
"claim_url": "https://hackerone.com/invitations/3fe0a8badea0023c2fcca5c860d5899e"
}
]
}
}
}
POST /programs/{id}/bounties
Use this endpoint to award a bounty. When the API call is successful,
a bounty object will be returned.
Required permissions: Reward Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| data | body | object | true | The information required to create a bounty. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» recipient | body | string | false | The email address of the recipient. |
| »» recipient_id | body | string | false | The id of the recipient. |
| »» amount | body | number | true | The bounty amount to be awarded. |
| »» reference | body | string | true | An internal reference attached to the report that makes searching or filtering in the future easy. |
| »» title | body | string | true | The title of the security vulnerability that was reported to you. |
| »» currency | body | string | true | none |
| »» severity_rating | body | severity-ratings | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
Detailed descriptions
»» recipient: The email address of the recipient.
When the email address is provided, an email will be sent to the recipient to claim the bounty. When the email address is not provided, you can use the claim URL in the response to notify the recipient yourself. When the user does not have an account yet with HackerOne, they'll be onboarded before they can claim the reward. Users that already have an account, will benefit from collecting the payout easily through HackerOne and will get additional reputation points to showcase on their HackerOne profile.
»» recipient_id: The id of the recipient.
When the recipient_id is provided, an email will be sent to the recipient to claim the bounty. If both recipient and recipient_id provided then recipient attribute has a higher priority. If non of attributes provided then email won't be sent.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | bounty |
| »» currency | USD |
| »» severity_rating | none |
| »» severity_rating | low |
| »» severity_rating | medium |
| »» severity_rating | high |
| »» severity_rating | critical |
Get Common Responses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/common_responses" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/common_responses',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/common_responses',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/common_responses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/common_responses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/common_responses", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
reporters found
{
"data": [
{
"id": "108878",
"attributes": {
"title": "Vulnerability Scanner False Positive",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. Please reply if you have a working proof-of-concept or reason to believe that this issue is exploitable.\n"
}
},
{
"id": "108886",
"attributes": {
"title": "X-XSS-Protection",
"message": "Automated vulnerability scanners commonly have low priority issues and/or false positives. Before submitting the results from a scanner, please take a moment to confirm that the reported issues are actually valid and exploitable. In this specific case, we believe that the default state of the `X-XSS-Protection` header is sufficient for our purposes. Please reply if you have a working proof-of-concept that could be mitigated by an adjustment to our header.\n"
}
},
{
"id": "108891",
"attributes": {
"title": "Video Without Content",
"message": "Using a video to demonstrate a potential issue should only be necessary in rare situations and should always be accompanied with a text description of the issue as well. Please update this report with step-by-step instructions to reproduce the core components of the issue. If you don't speak English, feel free to leave your report in your own language, and we'll try our best to find someone who can help translate.\n"
}
}
],
"links": {}
}
GET /programs/{id}/common_responses
Common responses can be fetched by sending a GET request to the common responses endpoint. When the request is successful, the API will respond with paginated common responses.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Create a CVE Request
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/cve_requests" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "cve-request",
"attributes": {
"team_handle": "string",
"versions": [
{
"vendor": "string",
"product": "string",
"func": "string",
"version": "string",
"versionType": "string",
"affected": true
}
],
"metrics": [
{
"vectorString": "string"
}
],
"weakness_id": 0,
"description": "string",
"vulnerability_discovered_at": "2019-08-24T14:15:22Z"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "cve-request",
"attributes": {
"team_handle": "string",
"versions": [
{
"vendor": "string",
"product": "string",
"func": "string",
"version": "string",
"versionType": "string",
"affected": true
}
],
"metrics": [
{
"vectorString": "string"
}
],
"weakness_id": 0,
"description": "string",
"vulnerability_discovered_at": "2019-08-24T14:15:22Z"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/cve_requests',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "cve-request",
"attributes": {
"team_handle": "string",
"versions": [
{
"vendor": "string",
"product": "string",
"func": "string",
"version": "string",
"versionType": "string",
"affected": true
}
],
"metrics": [
{
"vectorString": "string"
}
],
"weakness_id": 0,
"description": "string",
"vulnerability_discovered_at": "2019-08-24T14:15:22Z"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/cve_requests',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/cve_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"cve-request\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"versions\": [\n {\n \"vendor\": \"string\",\n \"product\": \"string\",\n \"func\": \"string\",\n \"version\": \"string\",\n \"versionType\": \"string\",\n \"affected\": true\n }\n ],\n \"metrics\": [\n {\n \"vectorString\": \"string\"\n }\n ],\n \"weakness_id\": 0,\n \"description\": \"string\",\n \"vulnerability_discovered_at\": \"2019-08-24T14:15:22Z\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"cve-request\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"versions\": [\n {\n \"vendor\": \"string\",\n \"product\": \"string\",\n \"func\": \"string\",\n \"version\": \"string\",\n \"versionType\": \"string\",\n \"affected\": true\n }\n ],\n \"metrics\": [\n {\n \"vectorString\": \"string\"\n }\n ],\n \"weakness_id\": 0,\n \"description\": \"string\",\n \"vulnerability_discovered_at\": \"2019-08-24T14:15:22Z\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/cve_requests',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"cve-request\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"versions\": [\n {\n \"vendor\": \"string\",\n \"product\": \"string\",\n \"func\": \"string\",\n \"version\": \"string\",\n \"versionType\": \"string\",\n \"affected\": true\n }\n ],\n \"metrics\": [\n {\n \"vectorString\": \"string\"\n }\n ],\n \"weakness_id\": 0,\n \"description\": \"string\",\n \"vulnerability_discovered_at\": \"2019-08-24T14:15:22Z\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/cve_requests", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
CVE request created
{
"id": "1337",
"type": "cve-request",
"attributes": {
"request_type": "new",
"versions": [
{
"func": "<",
"vendor": "WidgetFactory",
"product": "WidgetOne",
"version": "1.0.0",
"affected": true,
"versionType": "semver"
}
],
"metrics": [
{
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N"
}
],
"products": [
"WidgetFactory WidgetOne"
],
"description": "Insufficient URI encoding in WidgetOne before 1.0.0 allows attacker to inject arbitrary parameters into API requests.",
"references": [],
"report_id": null,
"team_handle": "acme",
"state": "draft",
"vulnerability_discovered_at": "2024-01-20",
"created_at": "2024-01-20T14:26:19.286Z",
"updated_at": "2024-01-20T14:26:19.286Z",
"weakness_name": "Improper Input Validation",
"latest_state_change_reason": null,
"cve_identifier": null,
"auto_submit_on_publicly_disclosing_report": true
}
}
POST /programs/{id}/cve_requests
This API endpoint can be used to create a new CVE request. When the API call is successful, a cve_request object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| data | body | object | true | The information to be requested from the hacker. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» team_handle | body | string | true | The handle of the team. |
| »» versions | body | [object] | true | none |
| »»» vendor | body | string | true | The vendor of the version. |
| »»» product | body | string | true | The product of the version. |
| »»» func | body | string | true | The function of the version. |
| »»» version | body | string | true | The version. |
| »»» versionType | body | string | true | The type of the version. |
| »»» affected | body | boolean | true | Whether the version is affected or not. |
| »» metrics | body | [object] | true | none |
| »»» vectorString | body | string | true | The vector string. |
| »» weakness_id | body | integer | true | The ID of the weakness. |
| »» description | body | string | true | A description of the information required from the hackers to create a CVE request. |
| »» vulnerability_discovered_at | body | string(date-time) | true | The date when the vulnerability was discovered. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | cve-request |
Get all CVE Requests
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/cve_requests" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/cve_requests',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/cve_requests',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/cve_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/cve_requests',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/cve_requests", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
CVE requests listed
{
"id": "1337",
"type": "cve-request",
"attributes": {
"request_type": "new",
"versions": [
{
"func": "<",
"vendor": "WidgetFactory",
"product": "WidgetOne",
"version": "1.0.0",
"affected": true,
"versionType": "semver"
}
],
"metrics": [
{
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N"
}
],
"products": [
"WidgetFactory WidgetOne"
],
"description": "Insufficient URI encoding in WidgetOne before 1.0.0 allows attacker to inject arbitrary parameters into API requests.",
"references": [],
"report_id": null,
"team_handle": "acme",
"state": "draft",
"vulnerability_discovered_at": "2024-01-20",
"created_at": "2024-01-20T14:26:19.286Z",
"updated_at": "2024-01-20T14:26:19.286Z",
"weakness_name": "Improper Input Validation",
"latest_state_change_reason": null,
"cve_identifier": null,
"auto_submit_on_publicly_disclosing_report": true
}
}
GET /programs/{id}/cve_requests
This API endpoint can be used to list all the CVE requests for a program. When the API call is successful, a list of cve_request objects will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Get Hacker Invitations
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/hacker_invitations" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/hacker_invitations',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/hacker_invitations',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/hacker_invitations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/hacker_invitations',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/hacker_invitations", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
hacker invitations found
{
"data": [
{
"id": "123",
"type": "invitation-hacker",
"attributes": {
"state": "accepted",
"created_at": "2024-02-02T04:05:06.000Z",
"viewed_at": "2024-02-02T08:05:06.000Z",
"accepted_at": "2024-03-02T04:05:06.000Z",
"expires_at": null,
"updated_at": "2024-03-02T04:05:06.000Z",
"rejected_at": null,
"cancelled_at": null
},
"relationships": {
"recipient": {
"id": "2",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2022-02-02T08:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": "Super great hacker",
"website": "http://hackerone.com",
"location": "Who wants to know?",
"hackerone_triager": false
}
},
"invited_by": {
"id": "1",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2020-02-02T08:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": 7,
"impact": 30,
"reputation": 7,
"bio": "Super great hacker",
"website": "http://hackerone.com",
"location": "Who wants to know?",
"hackerone_triager": false
}
}
}
}
],
"links": {}
}
GET /programs/{id}/hacker_invitations
This resource allows you to retrieve a list of invitations
to your private program.
Multiple hacker invitations objects can be queried by sending a GET request to the hacker invitations endpoint. When the request is successful, the API will respond with paginated hacker invitations objects.
Required permissions: Program Member. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Upload Policy Attachments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy_attachments" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: multipart/form-data' \
-H 'Accept: application/json' \
-d @- <<EOD
null
EOD
import requests
headers = {
'Content-Type': 'multipart/form-data',
'Accept': 'application/json'
}
data = null
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'multipart/form-data',
'Accept' => 'application/json'
}
data = null
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/policy_attachments',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy_attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "null";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "null";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'multipart/form-data'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/policy_attachments',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"multipart/form-data"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"null"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/policy_attachments", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
attachment uploaded
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
POST /programs/{id}/policy_attachments
Policy attachments can be uploaded by sending a POST request to the program policy
attachments endpoint. When the API call is successful, an attachment
object will be returned.
You can use the attachment ID to display the attachment on your policy page. For example,
if the attachment ID is 1337, then include {F1337} in your policy to display the
attachment.
Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Update Policy
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/policy" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{id}/policy',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "program-policy",
"attributes": {
"policy": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{id}/policy',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/policy");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/policy',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"program-policy\",\n \"attributes\": {\n \"policy\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{id}/policy", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Policy updated
{
"data": {
"id": "12",
"type": "program",
"attributes": {
"handle": "security",
"policy": "...",
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2019-08-26T13:53:24.807Z"
}
}
}
PUT /programs/{id}/policy
Managing the policy of a program through the HackerOne API can be useful to programmatically batch update programs in HackerOne. You can use this endpoint to update the policy of your program.
Required permissions: Program Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| data | body | object | true | The information to update the policy of a program. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» policy | body | string | true | The new policy that will be set on the program. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | program-policy |
Get Reporters
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/reporters" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/reporters',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/reporters',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/reporters");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/reporters',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/reporters", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
reporters found
{
"data": [
{
"id": "1337",
"type": "user",
"attributes": {
"username": "awesome-hacker",
"name": "Awesome Hacker",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
],
"links": {}
}
GET /programs/{id}/reporters
This resource allows you to retrieve a list of all users that ever
submitted a report to the program.
Multiple user objects can be queried by sending a GET request to the reporters endpoint. When the request is successful, the API will respond with paginated user objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Structured Scopes
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scopes found
{
"data": [
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
},
{
"id": "58",
"type": "structured-scope",
"attributes": {
"asset_identifier": "www.example.com",
"asset_type": "URL",
"confidentiality_requirement": "low",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2017-02-03T04:05:10.000Z",
"updated_at": "2018-05-02T04:05:10.000Z",
"instruction": "Instruction text",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001002"
}
}
],
"links": {}
}
GET /programs/{id}/structured_scopes
Structured scopes can be fetched by sending a GET request to the structured scopes endpoint. When the request is successful, the API will respond with paginated structured scope objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Add Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/structured_scopes" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"asset_type": "CIDR",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/programs/{id}/structured_scopes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/structured_scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/structured_scopes',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"asset_type\": \"CIDR\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/programs/{id}/structured_scopes", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scope created
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
POST /programs/{id}/structured_scopes
This endpoint can be used to add an asset to a program. When the API request is successful, a structured scope object will be returned. Please refer to our platform documentation to get more information on the different asset types.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| data | body | object | true | The information to create a structured scope. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» asset_identifier | body | string | true | The identifier of the asset. |
| »» asset_type | body | string | true | The type of asset. |
| »» eligible_for_bounty | body | boolean | false | The eligibility of the asset for bounties. |
| »» eligible_for_submission | body | boolean | false | If the asset is eligible for submission. |
| »» instruction | body | string | false | The raw instruction of the asset provided by the program. Markdown is not parsed. |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset. |
| »» max_severity | body | severity-ratings | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | structured-scope |
| »» asset_type | CIDR |
| »» asset_type | URL |
| »» asset_type | APPLE_STORE_APP_ID |
| »» asset_type | TESTFLIGHT |
| »» asset_type | OTHER_IPA |
| »» asset_type | GOOGLE_PLAY_APP_ID |
| »» asset_type | OTHER_APK |
| »» asset_type | WINDOWS_APP_STORE_APP_ID |
| »» asset_type | SOURCE_CODE |
| »» asset_type | DOWNLOADABLE_EXECUTABLES |
| »» asset_type | HARDWARE |
| »» asset_type | OTHER |
| »» asset_type | SMART_CONTRACT |
| »» asset_type | WILDCARD |
| »» asset_type | IP_ADDRESS |
| »» asset_type | AI_MODEL |
| »» asset_type | API |
| »» asset_type | AWS_CLOUD_CONFIG |
| »» asset_type | AZURE_CLOUD_CONFIG |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | medium |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | medium |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | medium |
| »» availability_requirement | high |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
Update Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"asset_identifier": "string",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "string",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"max_severity": "none",
"reference": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"asset_identifier\": \"string\",\n \"eligible_for_bounty\": true,\n \"eligible_for_submission\": true,\n \"instruction\": \"string\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"max_severity\": \"none\",\n \"reference\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scope updated
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
PUT /programs/{program_id}/structured_scopes/{id}
This endpoint can be used to update an asset of a program. When the API request is successful, a structured scope object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the structured scope. |
| data | body | object | true | The information to update a structured scope. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» asset_identifier | body | string | true | The identifier of the asset. |
| »» eligible_for_bounty | body | boolean | false | If the asset is eligible for bounty. |
| »» eligible_for_submission | body | boolean | false | If the asset is eligible for submission. |
| »» instruction | body | string | false | The raw instruction of the asset provided by the program (markdown is not parsed). |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweighs Confidentiality Impact of a vulnerability on the asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweighs Integrity Impact of a vulnerability on the asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweighs Availability Impact of a vulnerability on the asset. |
| »» max_severity | body | severity-ratings | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | structured-scope |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | medium |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | medium |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | medium |
| »» availability_requirement | high |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
Archive Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/programs/{program_id}/structured_scopes/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scope archived
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
DELETE /programs/{program_id}/structured_scopes/{id}
This endpoint can be used to archive an asset of a program. When the API request is successful, a structured scope object will be returned.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. You can find the program ID by fetching your programs. |
| id | path | integer | true | The ID of the structured scope. |
Get Awarded Swag
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/swag" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/swag',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/swag',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/swag");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/swag',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/swag", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
swag found
{
"data": [
{
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
},
{
"id": "7",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2019-08-20T03:47:04.163Z"
},
"relationships": {
"user": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "johndoe",
"name": "John Doe",
"disabled": false,
"created_at": "2017-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "John Smith",
"street": "535 Mission Street",
"city": "New York",
"postal_code": "10001",
"state": "NY",
"country": "United States of America",
"created_at": "2017-01-03T07:08:09.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-212-000-0000"
}
}
}
}
}
],
"links": {}
}
GET /programs/{id}/swag
Awarded swag can be fetched by sending a GET request to the swag endpoint. When the request
is successful, the API will respond with paginated swag objects.
Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Mark Swag as Sent
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {}
r = requests.put(
'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{program_id}/swag/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{program_id}/swag/{id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/programs/{program_id}/swag/{id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Swag marked as sent
{
"data": {
"id": "8",
"type": "swag",
"attributes": {
"sent": true,
"created_at": "2019-08-30T08:33:42.147Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "M_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
}
PUT /programs/{program_id}/swag/{id}
The status of swag can be updated to "sent" through this endpoint. When the request is
successful, the API will respond with a swag object.
Required permissions: Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| program_id | path | integer | true | The ID of the program. |
| id | path | integer | true | The ID of the swag. |
Get Thanks to Hackers
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/thanks" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/thanks',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/thanks',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/thanks");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/thanks',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/thanks", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
thanks items found
{
"data": [
{
"type": "thanks-item",
"attributes": {
"total_report_count": 1,
"reputation": 7,
"recognized_report_count": 1,
"username": "lorem",
"user_id": "55"
}
},
{
"type": "thanks-item",
"attributes": {
"total_report_count": 1,
"reputation": 22,
"recognized_report_count": 1,
"username": "ipsum",
"user_id": "56"
}
},
{
"type": "thanks-item",
"attributes": {
"total_report_count": 5,
"reputation": 38,
"recognized_report_count": 3,
"username": "adam",
"user_id": "57"
}
}
],
"links": {}
}
GET /programs/{id}/thanks
This endpoint enables you to view a program's thanks to hackers.
A program's thanks items can be fetched by sending a GET request to the thanks endpoint. When the request is successful, the API will respond with paginated thanks items objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Integrations
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/integrations" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/integrations',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/integrations',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/integrations");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/integrations',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/integrations", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Integrations found
{
"data": [
{
"id": "Z2lkOi8vaGsdXRpb25JbnNZiMS0yNDQxNjgxZDVjZTQlM0Ez",
"name": "Nnamdi Jira Integration"
},
{
"id": "Z2lkOi8vaGFja2Vyb25lL1RlYW1JbnRlZ3Jh",
"name": "Manual integration"
}
]
}
GET /programs/{id}/integrations
Fetch all integrations associated to a programs.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
Get Triage Reviews
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/triage_reviews" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/triage_reviews',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/triage_reviews',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/triage_reviews");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/triage_reviews',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/triage_reviews", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
triage reviews found
{
"data": [
{
"id": "1234",
"type": "triage-review",
"attributes": {
"comment": "Great job!",
"rating": 5
},
"relationships": {
"user": {
"data": {
"id": "77",
"type": "user",
"attributes": {
"username": "hendrik"
}
}
},
"report": {
"data": {
"id": "55",
"type": "report",
"attributes": {
"title": "Brute force in login form"
}
}
}
}
}
]
}
GET /programs/{id}/triage_reviews
This endpoint retrieves a list of triage reviews associated with a program. Each triage review includes details such as the rating, comments, and associated report.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Weaknesses
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}/weaknesses" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}/weaknesses',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}/weaknesses',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}/weaknesses");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}/weaknesses',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}/weaknesses", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
weaknesses found
{
"data": [
{
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"created_at": "2016-02-02T04:05:06.000Z",
"external_id": "cwe-352"
}
},
{
"id": "1338",
"type": "weakness",
"attributes": {
"name": "SQL Injection",
"description": "The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.",
"created_at": "2016-03-02T04:05:06.000Z",
"external_id": "cwe-89"
}
}
],
"links": {}
}
GET /programs/{id}/weaknesses
The Weakness endpoint enables you to retrieve a list of all weaknesses of the program.
Weaknesses can be fetched by sending a GET request to the weaknesses endpoint. When the request is successful, the API will respond with paginated weakness objects.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Get Program
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/programs/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/programs/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/programs/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/programs/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/programs/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/programs/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
program found
{
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"groups": {
"data": [
{
"id": "2557",
"type": "group",
"attributes": {
"name": "Standard",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"report_management",
"reward_management"
]
}
},
{
"id": "2558",
"type": "group",
"attributes": {
"name": "Admin",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"user_management",
"program_management"
]
}
}
]
},
"members": {
"data": [
{
"id": "1339",
"type": "member",
"attributes": {
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"program_management",
"report_management",
"reward_management",
"user_management"
]
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"organization": {
"data": {
"id": "14",
"type": "organization",
"attributes": {
"handle": "api-example",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
}
}
}
}
GET /programs/{id}
A program object can be fetched by sending a GET request
to a unique program object. When the request is successful, the API
will respond with a program object.
The following program relationships are included: groups, members, custom field attributes and policy attachments.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the program. Find the program ID by fetching your programs |
Assets
Import assets with CSV file
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: multipart/form-data' \
-H 'Accept: application/json' \
-d @- <<EOD
null
EOD
import requests
headers = {
'Content-Type': 'multipart/form-data',
'Accept': 'application/json'
}
data = null
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'multipart/form-data',
'Accept' => 'application/json'
}
data = null
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "null";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "null";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'multipart/form-data'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"multipart/form-data"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"null"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
attachment uploaded
{
"data": {
"id": "4",
"type": "asset-import",
"attributes": {
"state": "processed",
"errors": [],
"created_at": "2022-06-21T13:38:04.672Z",
"updated_at": "2022-06-21T13:38:04.693Z"
}
}
}
POST /organizations/{organization_id}/asset_imports
This API endpoint can be used to bulk import assets into the
HackerOne platform and to detect duplicates. When the API call is successful,
an asset import object will be returned.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization |
Retrieve an assets import
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/asset_imports/{asset_import_id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
attachment uploaded
{
"data": {
"id": "2",
"type": "asset-import",
"attributes": {
"state": "processed",
"errors": [],
"created_at": "2022-06-30T14:17:49.640Z",
"updated_at": "2022-06-30T14:17:50.040Z"
}
}
}
GET /organizations/{organization_id}/asset_imports/{asset_import_id}
This API endpoint can be used retrieve importing status via the API, once an asset import is created it is scheduled for execution.
When the API call is successful, an asset import object will be returned.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| asset_import_id | path | integer | true | The ID of the asset import. |
Attach screenshot to asset
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/asset_screenshots" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: multipart/form-data' \
-H 'Accept: application/json' \
-d @- <<EOD
null
EOD
import requests
headers = {
'Content-Type': 'multipart/form-data',
'Accept': 'application/json'
}
data = null
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/asset_screenshots',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'multipart/form-data',
'Accept' => 'application/json'
}
data = null
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/asset_screenshots',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/asset_screenshots");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "null";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "null";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'multipart/form-data'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/asset_screenshots',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"multipart/form-data"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"null"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/asset_screenshots", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
attachment uploaded
{
"id": "1337",
"type": "asset-screenshot",
"attributes": {
"expiring_url": "<url>",
"created_at": "2022-08-04T04:05:06.000Z",
"file_name": "paprika.png",
"content_type": "image/png",
"file_size": 2871
}
}
POST /organizations/{organization_id}/asset_screenshots
NOTE
This endpoint is only available to HackerOne Assets Enterprise subscription.
This API endpoint can be used to attach a screenshot to an existing asset. When the API call is successful,
an asset screenshot object will be returned.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
Create asset tag category
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/asset_tag_categories" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "asset-tag-category",
"attributes": {
"name": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "asset-tag-category",
"attributes": {
"name": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/asset_tag_categories',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "asset-tag-category",
"attributes": {
"name": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/asset_tag_categories',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/asset_tag_categories");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"asset-tag-category\",\n \"attributes\": {\n \"name\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"asset-tag-category\",\n \"attributes\": {\n \"name\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/asset_tag_categories',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"asset-tag-category\",\n \"attributes\": {\n \"name\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/asset_tag_categories", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
asset tag category created
{
"id": "123",
"type": "asset-tag-category",
"attributes": {
"name": "test"
}
}
POST /organizations/{organization_id}/asset_tag_categories
This API endpoint can be used to create new asset tag category. When the API call is successful,
asset tag category object will be returned.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization |
| data | body | object | true | The information to create an asset tag category. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» name | body | string | true | The name of the asset tag category |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | asset-tag-category |
Get All Asset Tags
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/asset_tags" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/asset_tags',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/asset_tags',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/asset_tags");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/asset_tags',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/asset_tags", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
assets found
{
"data": [
{
"id": "2",
"type": "asset-tag",
"attributes": {
"name": "test",
"category_name": "test",
"created_at": "2019-01-01T00:00:00.000Z",
"updated_at": "2019-01-01T00:00:00.000Z"
},
"relationships": {
"asset_tag_category": {
"data": {
"id": "2",
"type": "asset-tag-category",
"attributes": {
"name": "test"
}
}
}
}
}
],
"links": {}
}
GET /organizations/{organization_id}/asset_tags
This API endpoint can be used to list all assets tags of an organization. When the request is
successful, the API will respond with paginated asset tag objects.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Add asset to scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "structured-scope",
"attributes": {
"eligible_for_submission": true,
"eligible_for_bounty": true,
"notify_subscribers_on_changes": true
},
"relationships": {
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
}
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"eligible_for_submission": true,
"eligible_for_bounty": true,
"notify_subscribers_on_changes": true
},
"relationships": {
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
}
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "structured-scope",
"attributes": {
"eligible_for_submission": true,
"eligible_for_bounty": true,
"notify_subscribers_on_changes": true
},
"relationships": {
"programs": {
"data": [
{
"id": 0,
"type": "program"
}
]
}
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"eligible_for_submission\": true,\n \"eligible_for_bounty\": true,\n \"notify_subscribers_on_changes\": true\n },\n \"relationships\": {\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n }\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"eligible_for_submission\": true,\n \"eligible_for_bounty\": true,\n \"notify_subscribers_on_changes\": true\n },\n \"relationships\": {\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n }\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"structured-scope\",\n \"attributes\": {\n \"eligible_for_submission\": true,\n \"eligible_for_bounty\": true,\n \"notify_subscribers_on_changes\": true\n },\n \"relationships\": {\n \"programs\": {\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n }\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scopes created
{
"data": [
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
]
}
POST /organizations/{organization_id}/assets/{asset_id}/scopes
This API endpoint can be used to add asset to scope of specified programs. When the API call is successful,
structured scope objects will be returned.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization |
| asset_id | path | integer | true | The ID of the asset |
| data | body | object | true | The information to create a structured scope. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» eligible_for_submission | body | boolean | true | If the asset is eligible for submission. |
| »» eligible_for_bounty | body | boolean | true | If the asset is eligible for bounty. |
| »» notify_subscribers_on_changes | body | boolean | false | Whether to notify subscribers on this activity. The default is true. |
| » relationships | body | object | true | none |
| »» programs | body | object | true | A list of programs for asset to be added to. |
| »»» data | body | [any] | false | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | structured-scope |
Archive asset scopes
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes/archive" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": [
{
"id": 0,
"type": "program"
}
]
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": [
{
"id": 0,
"type": "program"
}
]
}
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes/archive',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": [
{
"id": 0,
"type": "program"
}
]
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes/archive',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes/archive");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes/archive',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"program\"\n }\n ]\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}/scopes/archive", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
structured scopes archived
{
"data": [
{
"id": "57",
"type": "structured-scope",
"attributes": {
"archived_at": "2015-02-02T04:05:06.000Z"
}
},
{
"id": "58",
"type": "structured-scope",
"attributes": {
"archived_at": "2015-02-02T04:05:06.000Z"
}
}
]
}
POST /organizations/{organization_id}/assets/{asset_id}/scopes/archive
This API endpoint can be used to remove asset from scopes of specified programs. When the API call is successful,
structured scope objects will be returned.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization |
| asset_id | path | integer | true | The ID of the asset |
| data | body | [any] | true | none |
Get Asset
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
asset found
{
"data": {
"id": "2",
"type": "asset",
"attributes": {
"asset_type": "domain",
"identifier": "hackerone.com",
"domain_name": "hackerone.com",
"description": null,
"coverage": "untested",
"max_severity": "critical",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"archived_at": "2017-02-02T04:05:06.000Z",
"reference": "reference",
"state": "confirmed"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": "1",
"type": "asset-tag",
"attributes": {
"name": "test"
},
"relationships": {
"asset_tag_category": {
"data": {
"id": "2",
"type": "asset-tag-category",
"attributes": {
"name": "test"
}
}
}
}
}
]
},
"programs": {
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "handle",
"name": "team name"
}
}
]
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "https://attachments.s3.amazonaws.com/G74PuDP6qdEdN2rpKNLkVwZF",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "example.png",
"content_type": "image/png",
"file_size": 16115
}
}
]
}
}
}
}
GET /organizations/{organization_id}/assets/{asset_id}
An asset object can be fetched by sending a GET request to a unique asset object.
In case the request is successful, the API will respond with an
asset object.
The following asset relationships are included:
asset tags
and programs.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| asset_id | path | integer | true | The ID of the asset. |
Update Asset
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "asset",
"attributes": {
"description": "string",
"max_severity": "none",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"reference": "string"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": 0
}
]
}
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "asset",
"attributes": {
"description": "string",
"max_severity": "none",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"reference": "string"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": 0
}
]
}
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "asset",
"attributes": {
"description": "string",
"max_severity": "none",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"reference": "string"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": 0
}
]
}
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"asset\",\n \"attributes\": {\n \"description\": \"string\",\n \"max_severity\": \"none\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"reference\": \"string\"\n },\n \"relationships\": {\n \"asset_tags\": {\n \"data\": [\n {\n \"id\": 0\n }\n ]\n }\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"asset\",\n \"attributes\": {\n \"description\": \"string\",\n \"max_severity\": \"none\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"reference\": \"string\"\n },\n \"relationships\": {\n \"asset_tags\": {\n \"data\": [\n {\n \"id\": 0\n }\n ]\n }\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"asset\",\n \"attributes\": {\n \"description\": \"string\",\n \"max_severity\": \"none\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"reference\": \"string\"\n },\n \"relationships\": {\n \"asset_tags\": {\n \"data\": [\n {\n \"id\": 0\n }\n ]\n }\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/organizations/{organization_id}/assets/{asset_id}", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
assets updated
{
"id": "2",
"type": "asset",
"attributes": {
"asset_type": "domain",
"domain_name": "hackerone.com",
"description": null,
"coverage": "untested",
"max_severity": "critical",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"created_at": "2022-05-19T13:29:47.815Z",
"updated_at": "2022-05-19T13:29:47.992Z",
"reference": "reference"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": "1",
"type": "asset-tag",
"attributes": {
"name": "test"
},
"relationships": {
"asset_tag_category": {
"data": {
"id": "2",
"type": "asset-tag-category",
"attributes": {
"name": "test"
}
}
}
}
}
]
},
"programs": {
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "handle",
"name": "team name"
}
}
]
},
"attachments": {
"data": []
}
}
}
PUT /organizations/{organization_id}/assets/{asset_id}
This API endpoint can be used to update assets in
HackerOne platform. When the API call is successful,
an asset object will be returned.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization |
| asset_id | path | integer | true | The ID of the asset |
| data | body | object | true | The information to update an asset. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» description | body | string | false | The asset description. |
| »» max_severity | body | string | false | The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
| » relationships | body | object | false | none |
| »» asset_tags | body | object | false | A list of AssetTag objects assigned to the asset. |
| »»» data | body | [any] | false | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | asset |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | high |
Get All Assets
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/assets" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/organizations/{organization_id}/assets',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/assets',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/assets");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/assets',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/organizations/{organization_id}/assets", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
assets found
{
"data": [
{
"id": "2",
"type": "asset",
"attributes": {
"asset_type": "domain",
"domain_name": "hackerone.com",
"description": null,
"coverage": "untested",
"max_severity": "critical",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"archived_at": "2017-02-02T04:05:06.000Z",
"reference": "reference",
"state": "confirmed"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": "1",
"type": "asset-tag",
"attributes": {
"name": "test"
},
"relationships": {
"asset_tag_category": {
"data": {
"id": "2",
"type": "asset-tag-category",
"attributes": {
"name": "test"
}
}
}
}
}
]
},
"programs": {
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "handle",
"name": "team name"
}
}
]
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "https://attachments.s3.amazonaws.com/G74PuDP6qdEdN2rpKNLkVwZF",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "example.png",
"content_type": "image/png",
"file_size": 16115
}
}
]
}
}
}
],
"links": {}
}
GET /organizations/{organization_id}/assets
Multiple asset objects can be queried that meet certain filtering criteria by sending a GET request to the assets endpoint. When the request is successful, the API will respond with paginated asset objects.
The following asset relationships are included:
asset tags
and program.
You can get the ID of your organization from me/organizations endpoint.
Note, maximum of 10,000 assets can be fetched using the pagination parameters. To fetch more assets,
please use the filter[id__gt] parameter instead of the pagination parameters.
Results are sorted by ID in ascending order.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| filter[asset_tag_ids][] | query | array[int] | false | Filter by the asset's tags IDs you want to fetch the assets for. |
| filter[asset_types][] | query | array[string] | false | Filter by the asset's types you want to fetch the assets for. |
| filter[coverage] | query | array[string] | false | Filter by the asset's coverage you want to fetch the assets for. |
| filter[identifier] | query | string | false | Filter by the asset's identifier you want to fetch the assets for. |
| filter[state][] | query | array[string] | false | Filter by current asset state. |
| filter[archived] | query | boolean | false | Filter by the asset's archived status. By default, all active and archived assets are returned. |
| filter[id__gt] | query | integer | false | Filter by the asset's ID that is greater than the ID specified. Results are sorted by ID in ascending order. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Enumerated Values
| Parameter | Value |
|---|---|
| filter[asset_types][] | domain |
| filter[asset_types][] | url |
| filter[asset_types][] | wildcard |
| filter[asset_types][] | androidPlayStore |
| filter[asset_types][] | androidApk |
| filter[asset_types][] | otherAsset |
| filter[asset_types][] | hardware |
| filter[asset_types][] | sourceCode |
| filter[asset_types][] | windowsMicrosoftStore |
| filter[asset_types][] | iosAppStore |
| filter[asset_types][] | iosIpa |
| filter[asset_types][] | iosTestflight |
| filter[asset_types][] | executable |
| filter[asset_types][] | cidr |
| filter[asset_types][] | smartContract |
| filter[asset_types][] | aiModel |
| filter[asset_types][] | api |
| filter[asset_types][] | awsCloudConfig |
| filter[asset_types][] | azureCloudConfig |
| filter[coverage] | all |
| filter[coverage] | new |
| filter[coverage] | in_scope |
| filter[coverage] | out_of_scope |
| filter[coverage] | untested |
| filter[state][] | confirmed |
| filter[state][] | rejected |
| filter[state][] | unconfirmed |
Create Asset
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/assets" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "asset",
"attributes": {
"asset_type": "domain",
"identifier": "string",
"description": "string",
"max_severity": "none",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"reference": "string"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": 0
}
]
}
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "asset",
"attributes": {
"asset_type": "domain",
"identifier": "string",
"description": "string",
"max_severity": "none",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"reference": "string"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": 0
}
]
}
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/assets',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "asset",
"attributes": {
"asset_type": "domain",
"identifier": "string",
"description": "string",
"max_severity": "none",
"confidentiality_requirement": "none",
"integrity_requirement": "none",
"availability_requirement": "none",
"reference": "string"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": 0
}
]
}
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/assets',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/assets");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"asset\",\n \"attributes\": {\n \"asset_type\": \"domain\",\n \"identifier\": \"string\",\n \"description\": \"string\",\n \"max_severity\": \"none\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"reference\": \"string\"\n },\n \"relationships\": {\n \"asset_tags\": {\n \"data\": [\n {\n \"id\": 0\n }\n ]\n }\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"asset\",\n \"attributes\": {\n \"asset_type\": \"domain\",\n \"identifier\": \"string\",\n \"description\": \"string\",\n \"max_severity\": \"none\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"reference\": \"string\"\n },\n \"relationships\": {\n \"asset_tags\": {\n \"data\": [\n {\n \"id\": 0\n }\n ]\n }\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/assets',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"asset\",\n \"attributes\": {\n \"asset_type\": \"domain\",\n \"identifier\": \"string\",\n \"description\": \"string\",\n \"max_severity\": \"none\",\n \"confidentiality_requirement\": \"none\",\n \"integrity_requirement\": \"none\",\n \"availability_requirement\": \"none\",\n \"reference\": \"string\"\n },\n \"relationships\": {\n \"asset_tags\": {\n \"data\": [\n {\n \"id\": 0\n }\n ]\n }\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/assets", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
assets created
{
"id": "2",
"type": "asset",
"attributes": {
"asset_type": "domain",
"domain_name": "hackerone.com",
"description": null,
"coverage": "untested",
"max_severity": "critical",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"created_at": "2022-05-19T13:29:47.815Z",
"updated_at": "2022-05-19T13:29:47.992Z",
"reference": "reference"
},
"relationships": {
"asset_tags": {
"data": [
{
"id": "1",
"type": "asset-tag",
"attributes": {
"name": "test"
},
"relationships": {
"asset_tag_category": {
"data": {
"id": "2",
"type": "asset-tag-category",
"attributes": {
"name": "test"
}
}
}
}
}
]
},
"programs": {
"data": [
{
"id": "1",
"type": "program",
"attributes": {
"handle": "handle",
"name": "team name"
}
}
]
},
"attachments": {
"data": []
}
}
}
POST /organizations/{organization_id}/assets
This API endpoint can be used to create/import assets into the
HackerOne platform and to detect duplicates. When the API call is successful,
an asset object will be returned.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization |
| data | body | object | true | The information to create an asset. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» asset_type | body | string | true | The type of the asset |
| »» identifier | body | string | true | The identifier of the asset. |
| »» description | body | string | false | The asset description. |
| »» max_severity | body | string | false | The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). |
| »» confidentiality_requirement | body | string | false | A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. |
| »» integrity_requirement | body | string | false | A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. |
| »» availability_requirement | body | string | false | A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. |
| »» reference | body | string | false | The customer defined reference identifier or tag of the asset. |
| » relationships | body | object | false | none |
| »» asset_tags | body | object | false | A list of AssetTag objects assigned to the asset. |
| »»» data | body | [any] | false | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | asset |
| »» asset_type | domain |
| »» asset_type | url |
| »» asset_type | wildcard |
| »» asset_type | androidPlayStore |
| »» asset_type | androidApk |
| »» asset_type | otherAsset |
| »» asset_type | hardware |
| »» asset_type | sourceCode |
| »» asset_type | windowsMicrosoftStore |
| »» asset_type | iosAppStore |
| »» asset_type | iosIpa |
| »» asset_type | iosTestflight |
| »» asset_type | executable |
| »» asset_type | cidr |
| »» asset_type | smartContract |
| »» asset_type | aiModel |
| »» asset_type | api |
| »» asset_type | awsCloudConfig |
| »» asset_type | azureCloudConfig |
| »» max_severity | none |
| »» max_severity | low |
| »» max_severity | medium |
| »» max_severity | high |
| »» max_severity | critical |
| »» confidentiality_requirement | none |
| »» confidentiality_requirement | low |
| »» confidentiality_requirement | high |
| »» integrity_requirement | none |
| »» integrity_requirement | low |
| »» integrity_requirement | high |
| »» availability_requirement | none |
| »» availability_requirement | low |
| »» availability_requirement | high |
Archive Assets
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/organizations/{organization_id}/assets/archive" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": [
{
"id": 0,
"type": "asset"
}
]
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": [
{
"id": 0,
"type": "asset"
}
]
}
r = requests.post(
'https://api.hackerone.com/v1/organizations/{organization_id}/assets/archive',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": [
{
"id": 0,
"type": "asset"
}
]
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/organizations/{organization_id}/assets/archive',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/organizations/{organization_id}/assets/archive");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"asset\"\n }\n ]\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"asset\"\n }\n ]\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/organizations/{organization_id}/assets/archive',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": [\n {\n \"id\": 0,\n \"type\": \"asset\"\n }\n ]\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/organizations/{organization_id}/assets/archive", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
assets archived
{
"data": [
{
"id": "1",
"type": "asset",
"attributes": {
"archived_at": "2015-02-02T04:05:06.000Z"
}
},
{
"id": "2",
"type": "asset",
"attributes": {
"archived_at": "2015-02-02T04:05:06.000Z"
}
}
]
}
POST /organizations/{organization_id}/assets/archive
This API endpoint can be used to archive assets in
HackerOne platform. When the API call is successful,
an asset object will be returned.
You can get the ID of your organization from me/organizations endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| organization_id | path | integer | true | The ID of the organization. |
| data | body | [any] | true | The information to archive an asset. |
Reports
Create Comment
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/activities" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "activity-comment",
"attributes": {
"message": "string",
"internal": true,
"attachment_ids": []
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "activity-comment",
"attributes": {
"message": "string",
"internal": true,
"attachment_ids": []
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/activities',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "activity-comment",
"attributes": {
"message": "string",
"internal": true,
"attachment_ids": []
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/activities',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/activities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"activity-comment\",\n \"attributes\": {\n \"message\": \"string\",\n \"internal\": true,\n \"attachment_ids\": []\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"activity-comment\",\n \"attributes\": {\n \"message\": \"string\",\n \"internal\": true,\n \"attachment_ids\": []\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/activities',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"activity-comment\",\n \"attributes\": {\n \"message\": \"string\",\n \"internal\": true,\n \"attachment_ids\": []\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/activities", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
comment created
{
"data": {
"id": "1337",
"type": "activity-comment",
"attributes": {
"message": "A fix has been deployed. Can you retest, please?",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
POST /reports/{id}/activities
Both public and internal comments can be posted with this endpoint.
Comments require a message before they will be posted. If a public comment is
posted, any user that is subscribed to the report will receive a notification
of the created comment. For internal comments, only people that are managing
the program who are subscribed to the report will receive a notification.
Required permissions: Report Management. Enables you to post public comments. Posting internal comments do not require any additional permissions. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to create a comment object for the report. |
| » type | body | string | true | Type of activity. |
| » attributes | body | object | true | none |
| »» message | body | string | true | The message that will be posted. |
| »» internal | body | boolean | true | A boolean that indicates whether the comment should |
| »» attachment_ids | body | array | false | Array of attachment IDs. You can upload attachments here |
Detailed descriptions
»» internal: A boolean that indicates whether the comment should be internal or public. Internal comments are only viewable by the users that manage the program. Public comments are viewable by everyone, including the person that submitted the report.
Enumerated Values
| Parameter | Value |
|---|---|
| » type | activity-comment |
Update Assignee
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/assignee" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"id": 0,
"type": "user",
"attributes": {
"message": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"id": 0,
"type": "user",
"attributes": {
"message": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/assignee',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"id": 0,
"type": "user",
"attributes": {
"message": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/assignee',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/assignee");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"id\": 0,\n \"type\": \"user\",\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"id\": 0,\n \"type\": \"user\",\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/assignee',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"id\": 0,\n \"type\": \"user\",\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/assignee", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
assignee updated
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": []
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"activities": {
"data": [
{
"id": "1337",
"type": "activity-user-assigned-to-bug",
"attributes": {
"message": "@member Please check this out!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": true
},
"relationships": {
"actor": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api_example_company",
"name": null,
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"assigned_user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/assignee
A user or group can be assigned to a report with this endpoint.
An optional message can be specified, which will be posted as an internal
comment to the report subscribers. Only users and groups that are part
of the program can be assigned. It is not possible to assign API users
to a report.
When assigning a single user to a report, that user will automatically be
subscribed to the report. In case a group is assigned to a report, all
users that are part of that group are subscribed to the report. Subscribers
will receive a notification that the report was assigned.
In case the request was successful, the API will respond with the updated
report object.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | Contains the information to assign a user or group object to the report, or to clear the assignee of a report. |
| » id | body | integer | false | The ID of the user or group. This is required unless the type is 'nobody' |
| » type | body | string | true | Specifies whether a user or group should be assigned, or if the assignee should be cleared. |
| » attributes | body | object | false | none |
| »» message | body | string | false | The message that will be posted to the assigned user or group. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | user |
| » type | group |
| » type | nobody |
Upload Attachments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/attachments" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: multipart/form-data' \
-H 'Accept: application/json' \
-d @- <<EOD
null
EOD
import requests
headers = {
'Content-Type': 'multipart/form-data',
'Accept': 'application/json'
}
data = null
r = requests.post(
'https://api.hackerone.com/v1/reports/attachments',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'multipart/form-data',
'Accept' => 'application/json'
}
data = null
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/attachments',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "null";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "null";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'multipart/form-data'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/attachments',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"multipart/form-data"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"null"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/attachments", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
attachment uploaded
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
POST /reports/attachments
Attachments can be uploaded by sending a POST request to the reports
attachments endpoint. When the API call is successful, an attachment
object will be returned.
You can use the attachment ID to display the attachment in your comments. For example,
if the attachment ID is 1337, then include {F1337} in your comments to display the
attachment.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.
Delete Attachments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{report_id}/attachments" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>"
import requests
r = requests.delete(
'https://api.hackerone.com/v1/reports/{report_id}/attachments',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>')
)
print(r.json())
require 'rest-client'
require 'json'
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/reports/{report_id}/attachments',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>'
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{report_id}/attachments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
fetch('https://api.hackerone.com/v1/reports/{report_id}/attachments',
{
method: 'DELETE'
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/reports/{report_id}/attachments", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
DELETE /reports/{report_id}/attachments
All attachments for a report can be permanently deleted by sending a DELETE request to the
/reports/{report_id}/attachments endpoint. This will remove all attachments
associated with the specified report. This action is irreversible.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| report_id | path | string | true | ID of the report. |
Award Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounties" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/bounties',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/bounties',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounties");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/bounties',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/bounties", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
bounty awarded
{
"id": "1337",
"type": "bounty",
"attributes": {
"amount": "500.00",
"bonus_amount": "50.00",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
POST /reports/{id}/bounties
You can use this endpoint to award bounties to the reporter
of the provided report.
Required permissions: Reward Management. You can manage the
permissions of your API users through your organization's settings.
Insufficient permissions will result in a 404 Not Found response.
In addition, your program needs to be able to award bounties and the report needs to be eligible for bounties. If either case is false, the call will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information required to create a bounty. |
| » message | body | string | true | The public message posted on the report. This is always required. |
| » amount | body | number | false | The bounty award to award to the reporter. Only amount or bonus amount is required. It must be a positive number and, when provided, must be equal to or greater than your minimum bounty. |
| » bonus_amount | body | number | false | The bonus amount to award to the reporter. Only amount or bonus amount is required. It must be a positive number. |
Mark as Ineligible for Bounty
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-ineligible-for-bounty"
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-ineligible-for-bounty"
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-ineligible-for-bounty"
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-ineligible-for-bounty\"\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-ineligible-for-bounty\"\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-ineligible-for-bounty\"\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/ineligible_for_bounty", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Marked as ineligible for bounty
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/ineligible_for_bounty
Marking a report as ineligible for bounty through the HackerOne API can be useful to
programmatically batch update received reports in HackerOne.
Marking a report as ineligible for bounty can be done through this endpoint. This API
endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
Required permissions: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to mark a report as ineligible for bounty. |
| » type | body | string | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-ineligible-for-bounty |
List bounty suggestions
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounty_suggestions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
bounty suggestions
{
"id": "1337",
"type": "bounty",
"attributes": {
"amount": "500.00",
"bonus_amount": "50.00",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
GET /reports/{id}/bounty_suggestions
This API endpoint allows a user to retrieve a list of bounty suggestions for a report.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
Create bounty suggestion
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"message": "string",
"amount": 0,
"bonus_amount": 0
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/bounty_suggestions");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/bounty_suggestions',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"message\": \"string\",\n \"amount\": 0,\n \"bonus_amount\": 0\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/bounty_suggestions", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
bounty suggestion created
{
"id": "1337",
"type": "activity-bounty-suggested",
"attributes": {
"message": "Bounty Suggested!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": true,
"bounty_amount": "500",
"bonus_amount": "50"
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
POST /reports/{id}/bounty_suggestions
You can use this endpoint to suggest bounties to the provided report.
Required permissions: Reward Management or Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | none |
| » message | body | string | true | (Always required) The internal message posted on the report. Only viewable by team members. |
| » amount | body | integer | false | The suggested bounty award to award the reporter. Only amount or bonus amount is required. It must be a positive number, and, when provided, must be equal to or greater than your minimum amount. |
| » bonus_amount | body | integer | false | The suggested bonus amount to award to the reporter. Only amount or bonus amount is required. It must be a positive number. |
Close Comments
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/close_comments" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "activity-comments-closed"
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "activity-comments-closed"
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/close_comments',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "activity-comments-closed"
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/close_comments',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/close_comments");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"activity-comments-closed\"\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"activity-comments-closed\"\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/close_comments',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"activity-comments-closed\"\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/close_comments", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
comments closed
{
"id": "1337",
"type": "activity-comments-closed",
"attributes": {
"message": "Comments Closed!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
PUT /reports/{id}/close_comments
You can use this endpoint to lock the report and the report can only be locked once. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform or reported to other teams.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to lock the report. |
| » type | body | string | true | none |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | activity-comments-closed |
Manage Custom Field Values
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/custom_field_values" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"attributes": {
"custom_field_attribute_id": 0,
"value": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"attributes": {
"custom_field_attribute_id": 0,
"value": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/custom_field_values',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"attributes": {
"custom_field_attribute_id": 0,
"value": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/custom_field_values',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/custom_field_values");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"attributes\": {\n \"custom_field_attribute_id\": 0,\n \"value\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"attributes\": {\n \"custom_field_attribute_id\": 0,\n \"value\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/custom_field_values',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"attributes\": {\n \"custom_field_attribute_id\": 0,\n \"value\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/custom_field_values", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Custom field updated
{
"id": "1337",
"type": "custom-field-value",
"attributes": {
"value": "Infrastructure",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"custom_field_attribute": {
"data": {
"id": "287",
"type": "custom-field-attribute",
"attributes": {
"field_type": "List",
"label": "Product Squad",
"internal": false,
"required": false,
"error_message": null,
"helper_text": "Helping you out with this!",
"configuration": "Infrastructure, Frontend, Backend",
"checkbox_text": null,
"regex": null,
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2013-01-01T00:00:00.000Z",
"archived_at": null
}
}
}
}
}
POST /reports/{id}/custom_field_values
You can use this endpoint to create / update the Custom
Field Values of the provided report. If the report already has a
value for the provided Custom Field Attribute ID, the value will
be replaced. To get a list of existing Custom Field Attributes,
see program. This feature is only available to select programs
at this time.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information required to create a Custom Field Value. |
| » attributes | body | object | true | none |
| »» custom_field_attribute_id | body | integer | true | The Custom Field Attribute ID for which a value needs to be set. A complete list of available Custom Field Attribute IDs is exposed on the Program object. |
| »» value | body | string | false | The value that needs to be set for the given Custom Field Attribute. Leave this field empty to remove a Custom Field Attribute from a report. |
Update CVEs
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/cves" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-cves",
"attributes": {
"cve_ids": [
"string"
]
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-cves",
"attributes": {
"cve_ids": [
"string"
]
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/cves',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-cves",
"attributes": {
"cve_ids": [
"string"
]
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/cves',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/cves");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-cves\",\n \"attributes\": {\n \"cve_ids\": [\n \"string\"\n ]\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-cves\",\n \"attributes\": {\n \"cve_ids\": [\n \"string\"\n ]\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/cves',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-cves\",\n \"attributes\": {\n \"cve_ids\": [\n \"string\"\n ]\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/cves", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
CVE IDs updated
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"main_state": "open",
"state": "new",
"created_at": "2024-01-20T14:26:19.286Z",
"submitted_at": "2024-01-20T14:26:19.286Z",
"vulnerability_information": "Vuln information",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"reporter_agreed_on_going_public_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"cve_ids": [
"CVE-2024-21075"
],
"source": null,
"timer_bounty_awarded_elapsed_time": null,
"timer_bounty_awarded_miss_at": null,
"timer_first_program_response_miss_at": null,
"timer_first_program_response_elapsed_time": null,
"timer_report_resolved_miss_at": null,
"timer_report_resolved_elapsed_time": null,
"timer_report_triage_miss_at": null,
"timer_report_triage_elapsed_time": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"collaborators": {
"data": []
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"activities": {
"data": [
{
"type": "activity-cve-id-added",
"id": "445",
"attributes": {
"message": "",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
},
"inboxes": {
"data": []
},
"custom_field_values": {
"data": []
}
}
}
PUT /reports/{id}/cves
Changing the CVE ids of a report can be done through this endpoint.
This API endpoint cannot be used for reports that have been reported
outside of the HackerOne platform.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the CVEs of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» cve_ids | body | [string] | true | The ID's of the CVEs the report should have. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-cves |
Update Disclosure Request
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/disclosure_requests" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"attributes": {
"substate": "full",
"message": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"attributes": {
"substate": "full",
"message": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"attributes": {
"substate": "full",
"message": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/disclosure_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"attributes\": {\n \"substate\": \"full\",\n \"message\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"attributes\": {\n \"substate\": \"full\",\n \"message\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"attributes\": {\n \"substate\": \"full\",\n \"message\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/disclosure_requests", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
disclosure_request updated
{
"id": "1337",
"type": "activity-agreed-on-going-public",
"attributes": {
"message": "Agreed On Going Public!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
POST /reports/{id}/disclosure_requests
The program can request disclosure for any closed report.
You can use this endpoint to create the disclosure request for the report which will result in:
The agreement to disclose the report if the reporter has already requested the disclosure. The contents of the report will be made public instantly. The time when the report was disclosed will be returned in the 'disclosed_at' attribute.
The disclosure request if the reporter hasn't requested the disclosure yet. If the reporter doesn't either approve or deny disclosure request from the program, the contents of the report will be auto-disclosed within 30 days. The 'allow_singular_disclosure_at' attribute value will show when the report will be disclosed.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | This object contains the information about disclosure request. |
| » attributes | body | object | true | none |
| »» substate | body | string | true | Select whether you want to disclose the full report ("full") or a |
| »» message | body | string | false | Additional information |
Detailed descriptions
»» substate: Select whether you want to disclose the full report ("full") or a limited version ("no-content"). Possible values: full, no-content
Enumerated Values
| Parameter | Value |
|---|---|
| »» substate | full |
| »» substate | no-content |
Cancel Disclosure Request
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/disclosure_requests" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"attributes": {
"message": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"attributes": {
"message": "string"
}
}
}
r = requests.delete(
'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"attributes": {
"message": "string"
}
}
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/disclosure_requests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/disclosure_requests',
{
method: 'DELETE',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"attributes\": {\n \"message\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/reports/{id}/disclosure_requests", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
disclosure request cancelled
{
"id": "1337",
"type": "activity-cancelled-disclosure-request",
"attributes": {
"message": "Cancel disclosure 1",
"created_at": "2019-10-23T13:35:35.616Z",
"updated_at": "2019-10-23T13:35:35.616Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api_user",
"name": null,
"disabled": false,
"created_at": "2019-10-14T13:59:49.563Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
}
}
}
DELETE /reports/{id}/disclosure_requests
The program can cancel the disclosure request for the provided report.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | none |
| » attributes | body | object | false | none |
| »» message | body | string | false | The message that will be posted. |
Update inboxes
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/inboxes" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"organization_inbox_ids": []
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"organization_inbox_ids": []
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/inboxes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"organization_inbox_ids": []
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/inboxes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/inboxes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"organization_inbox_ids\": []\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"organization_inbox_ids\": []\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/inboxes',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"organization_inbox_ids\": []\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/inboxes", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report updated
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
POST /reports/{id}/inboxes
You can use this endpoint to update the inboxes
of the provided report. This replaces the custom inboxes of the report.
Note: Reports can only be added and removed from Custom inboxes.
Required permissions: Report Management. You can manage the
permissions of your API users through your organization's settings.
Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information required to update the report's inboxes. |
| » organization_inbox_ids | body | array | true | The ID's of the inboxes the report should be in. |
Add participant
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/participants" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-participant",
"attributes": {
"email": "string",
"username": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-participant",
"attributes": {
"email": "string",
"username": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/participants',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-participant",
"attributes": {
"email": "string",
"username": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/participants',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/participants");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-participant\",\n \"attributes\": {\n \"email\": \"string\",\n \"username\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-participant\",\n \"attributes\": {\n \"email\": \"string\",\n \"username\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/participants',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-participant\",\n \"attributes\": {\n \"email\": \"string\",\n \"username\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/participants", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
invitation sent
{
"id": "117",
"type": "report-participant",
"attributes": {
"report_id": "1337",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
POST /reports/{id}/participants
Participants can be added through this endpoint by an email address or a HackerOne username.
It can be useful to programmatically batch update received reports in HackerOne.
This API endpoint cannot be used for reports that are published and have been reported
outside of the HackerOne platform.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to add a participant. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| body | string | false | The email address of the participant. Required when username is not provided. | |
| »» username | body | string | false | The HackerOne username of the participant. Required when email address is not provided. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-participant |
Generate PDF
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/pdf" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>"
import requests
r = requests.get(
'https://api.hackerone.com/v1/reports/{id}/pdf',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>')
)
print(r.json())
require 'rest-client'
require 'json'
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/reports/{id}/pdf',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>'
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/pdf");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
fetch('https://api.hackerone.com/v1/reports/{id}/pdf',
{
method: 'GET'
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports/{id}/pdf", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
GET /reports/{id}/pdf
You can use this endpoint to generate a PDF of a report.
Required permissions: Read only permission for the report. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| pdf_type | query | string | false | The type of PDF to generate. Possible values are: "reporter", "full" or "triage". The default value is "reporter". |
Redact report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/redact" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-redact",
"attributes": {
"string_to_redact": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-redact",
"attributes": {
"string_to_redact": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/redact',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-redact",
"attributes": {
"string_to_redact": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/redact',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/redact");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-redact\",\n \"attributes\": {\n \"string_to_redact\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-redact\",\n \"attributes\": {\n \"string_to_redact\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/redact',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-redact\",\n \"attributes\": {\n \"string_to_redact\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/redact", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report redacted
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/redact
Reports can be redacted through this endpoint. It can be useful to programmatically batch
update received reports in HackerOne. This API endpoint cannot be used for reports that
have been reported outside of the HackerOne platform.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to redact a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» string_to_redact | body | string | true | The content to be redacted from the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-redact |
Escalate Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/escalate" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"attributes": {
"integration_id": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"attributes": {
"integration_id": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/escalate',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"attributes": {
"integration_id": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/escalate',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/escalate");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"attributes\": {\n \"integration_id\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"attributes\": {\n \"integration_id\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/escalate',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"attributes\": {\n \"integration_id\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/escalate", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report escalated
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
},
"activities": {
"data": [
{
"type": "activity-comment",
"id": "445",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
},
{
"id": "1337",
"type": "activity-bug-resolved",
"attributes": {
"message": "Bug Resolved!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
},
"inboxes": {
"data": [
{
"id": "13",
"type": "inbox",
"attributes": {
"name": "HackerOne",
"type": "default"
}
},
{
"id": "65",
"type": "inbox",
"attributes": {
"name": "Custom Inbox number one",
"type": "custom"
}
}
]
},
"triggered_pre_submission_trigger": {
"data": {
"id": "1337",
"type": "trigger",
"attributes": {
"title": "Example Trigger"
}
}
},
"custom_field_values": {
"data": []
},
"automated_remediation_guidance": {
"data": {
"id": "1",
"type": "automated-remediation-guidance",
"attributes": {
"reference": "https://cwe.mitre.org/data/definitions/120.html",
"created_at": "2020-10-23T12:09:37.859Z"
}
}
},
"custom_remediation_guidance": {
"data": {
"id": "84",
"type": "custom-remediation-guidance",
"attributes": {
"message": "Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space.",
"created_at": "2020-10-26T08:47:23.296Z"
},
"relationships": {
"author": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example-2",
"name": "API Example 2",
"disabled": false,
"created_at": "2020-10-22T011:22:05.402Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
}
}
}
POST /reports/{id}/escalate
You can use this endpoint to send a report to the selected issue tracker. THe integration_id can be found through the get program integrations endpoint.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information for escalating report. |
| » attributes | body | object | true | none |
| »» integration_id | body | string | true | The ID of the integration instance. Required for escalating the report. |
Remove Escalation
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{report_id}/escalate" \
-X DELETE \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.delete(
'https://api.hackerone.com/v1/reports/{report_id}/escalate',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :delete,
url: 'https://api.hackerone.com/v1/reports/{report_id}/escalate',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{report_id}/escalate");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("DELETE");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{report_id}/escalate',
{
method: 'DELETE',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("DELETE", "https://api.hackerone.com/v1/reports/{report_id}/escalate", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
escalation successfully removed from report
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
},
"activities": {
"data": [
{
"type": "activity-comment",
"id": "445",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
},
{
"id": "1337",
"type": "activity-bug-resolved",
"attributes": {
"message": "Bug Resolved!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
},
"inboxes": {
"data": [
{
"id": "13",
"type": "inbox",
"attributes": {
"name": "HackerOne",
"type": "default"
}
},
{
"id": "65",
"type": "inbox",
"attributes": {
"name": "Custom Inbox number one",
"type": "custom"
}
}
]
},
"triggered_pre_submission_trigger": {
"data": {
"id": "1337",
"type": "trigger",
"attributes": {
"title": "Example Trigger"
}
}
},
"custom_field_values": {
"data": []
},
"automated_remediation_guidance": {
"data": {
"id": "1",
"type": "automated-remediation-guidance",
"attributes": {
"reference": "https://cwe.mitre.org/data/definitions/120.html",
"created_at": "2020-10-23T12:09:37.859Z"
}
}
},
"custom_remediation_guidance": {
"data": {
"id": "84",
"type": "custom-remediation-guidance",
"attributes": {
"message": "Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space.",
"created_at": "2020-10-26T08:47:23.296Z"
},
"relationships": {
"author": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example-2",
"name": "API Example 2",
"disabled": false,
"created_at": "2020-10-22T011:22:05.402Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
}
}
}
DELETE /reports/{report_id}/escalate
This API endpoint can be used to remove an escalation from a report. When the request is successful, the API will respond with a success message.
Required permission: Report Management. You can manage the permissions of your API users through your program's settings. Insufficient permissions will result in a 403 Forbidden response.
Trying to remove an escalation with an invalid report ID or without proper authorization will return appropriate error messages.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| report_id | path | integer | true | The ID of the report. |
Request Retest
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/retests" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "retest",
"attributes": {
"message": "string",
"retest_award_amount": null
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "retest",
"attributes": {
"message": "string",
"retest_award_amount": null
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/retests',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "retest",
"attributes": {
"message": "string",
"retest_award_amount": null
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/retests',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/retests");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"retest\",\n \"attributes\": {\n \"message\": \"string\",\n \"retest_award_amount\": null\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"retest\",\n \"attributes\": {\n \"message\": \"string\",\n \"retest_award_amount\": null\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/retests',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"retest\",\n \"attributes\": {\n \"message\": \"string\",\n \"retest_award_amount\": null\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/retests", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report retest requested
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
POST /reports/{id}/retests
Requesting a retest for a report can be done through this endpoint.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to request retesting on a report. |
| » type | body | string | true | none |
| » attributes | body | object | false | none |
| »» message | body | string | false | The message that will be posted. |
| »» retest_award_amount | body | float | false | The award amount to be awarded to the retester. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | retest |
Update Severity
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/severities" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "severity",
"attributes": {
"rating": "none",
"attack_vector": "network",
"attack_complexity": "low",
"attack_requirements": "none",
"privileges_required": "none",
"user_interaction": "none",
"scope": "unchanged",
"confidentiality": "none",
"integrity": "none",
"availability": "none",
"vulnerable_confidentiality": "none",
"vulnerable_integrity": "none",
"vulnerable_availability": "none",
"subsequent_confidentiality": "none",
"subsequent_integrity": "none",
"subsequent_availability": "none",
"calculation_method": "cvss_3_0_hackerone",
"message": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "severity",
"attributes": {
"rating": "none",
"attack_vector": "network",
"attack_complexity": "low",
"attack_requirements": "none",
"privileges_required": "none",
"user_interaction": "none",
"scope": "unchanged",
"confidentiality": "none",
"integrity": "none",
"availability": "none",
"vulnerable_confidentiality": "none",
"vulnerable_integrity": "none",
"vulnerable_availability": "none",
"subsequent_confidentiality": "none",
"subsequent_integrity": "none",
"subsequent_availability": "none",
"calculation_method": "cvss_3_0_hackerone",
"message": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/severities',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "severity",
"attributes": {
"rating": "none",
"attack_vector": "network",
"attack_complexity": "low",
"attack_requirements": "none",
"privileges_required": "none",
"user_interaction": "none",
"scope": "unchanged",
"confidentiality": "none",
"integrity": "none",
"availability": "none",
"vulnerable_confidentiality": "none",
"vulnerable_integrity": "none",
"vulnerable_availability": "none",
"subsequent_confidentiality": "none",
"subsequent_integrity": "none",
"subsequent_availability": "none",
"calculation_method": "cvss_3_0_hackerone",
"message": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/severities',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/severities");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"severity\",\n \"attributes\": {\n \"rating\": \"none\",\n \"attack_vector\": \"network\",\n \"attack_complexity\": \"low\",\n \"attack_requirements\": \"none\",\n \"privileges_required\": \"none\",\n \"user_interaction\": \"none\",\n \"scope\": \"unchanged\",\n \"confidentiality\": \"none\",\n \"integrity\": \"none\",\n \"availability\": \"none\",\n \"vulnerable_confidentiality\": \"none\",\n \"vulnerable_integrity\": \"none\",\n \"vulnerable_availability\": \"none\",\n \"subsequent_confidentiality\": \"none\",\n \"subsequent_integrity\": \"none\",\n \"subsequent_availability\": \"none\",\n \"calculation_method\": \"cvss_3_0_hackerone\",\n \"message\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"severity\",\n \"attributes\": {\n \"rating\": \"none\",\n \"attack_vector\": \"network\",\n \"attack_complexity\": \"low\",\n \"attack_requirements\": \"none\",\n \"privileges_required\": \"none\",\n \"user_interaction\": \"none\",\n \"scope\": \"unchanged\",\n \"confidentiality\": \"none\",\n \"integrity\": \"none\",\n \"availability\": \"none\",\n \"vulnerable_confidentiality\": \"none\",\n \"vulnerable_integrity\": \"none\",\n \"vulnerable_availability\": \"none\",\n \"subsequent_confidentiality\": \"none\",\n \"subsequent_integrity\": \"none\",\n \"subsequent_availability\": \"none\",\n \"calculation_method\": \"cvss_3_0_hackerone\",\n \"message\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/severities',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"severity\",\n \"attributes\": {\n \"rating\": \"none\",\n \"attack_vector\": \"network\",\n \"attack_complexity\": \"low\",\n \"attack_requirements\": \"none\",\n \"privileges_required\": \"none\",\n \"user_interaction\": \"none\",\n \"scope\": \"unchanged\",\n \"confidentiality\": \"none\",\n \"integrity\": \"none\",\n \"availability\": \"none\",\n \"vulnerable_confidentiality\": \"none\",\n \"vulnerable_integrity\": \"none\",\n \"vulnerable_availability\": \"none\",\n \"subsequent_confidentiality\": \"none\",\n \"subsequent_integrity\": \"none\",\n \"subsequent_availability\": \"none\",\n \"calculation_method\": \"cvss_3_0_hackerone\",\n \"message\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/severities", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
severity updated
{
"id": "57",
"type": "severity",
"attributes": {
"rating": "low",
"author_type": "User",
"user_id": 1337,
"created_at": "2023-11-21T14:00:16.142Z",
"score": 3.9,
"attack_complexity": "low",
"attack_vector": "network",
"confidentiality": "low",
"integrity": "low",
"availability": "low",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed",
"confidentiality_requirement": "medium",
"integrity_requirement": "low",
"availability_requirement": "low",
"max_severity": "low",
"calculation_method": "cvss_3_1",
"cvss_vector_string": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"
}
}
POST /reports/{id}/severities
You can use this endpoint to create or update the severity of
the provided report. If the report already has a severity, a new one
will be created and used as the current severity. You have to provide
either rating or metrics of the vulnerability severity.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the severity of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» rating | body | severity-ratings | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
| »» attack_vector | body | string¦null | false | A CVSS metric that reflects the context by which vulnerability exploritation is possible. |
| »» attack_complexity | body | string | false | A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. |
| »» attack_requirements | body | string | false | A CVSS metric that captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. |
| »» privileges_required | body | string | false | A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. |
| »» user_interaction | body | string | false | A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component. |
| »» scope | body | string¦null | false | A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component. |
| »» confidentiality | body | string | false | A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. |
| »» integrity | body | string | false | A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability. |
| »» availability | body | string | false | A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability. |
| »» vulnerable_confidentiality | body | string | false | A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. |
| »» vulnerable_integrity | body | string | false | This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. |
| »» vulnerable_availability | body | string | false | This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability. |
| »» subsequent_confidentiality | body | string | false | This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability of subsequent systems. |
| »» subsequent_integrity | body | string | false | This metric measures the impact to integrity of a successfully exploited vulnerability of subsequent systems. Integrity refers to the trustworthiness and veracity of information. |
| »» subsequent_availability | body | string | false | This metric measures the impact to the availability of the impacted system resulting from a successfully exploited vulnerability of subsequent systems. |
| »» calculation_method | body | string | false | The method used to calculate the severity of the vulnerability. |
| »» message | body | string | false | A message to be added to the severity. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | severity |
| »» rating | none |
| »» rating | low |
| »» rating | medium |
| »» rating | high |
| »» rating | critical |
| »» attack_vector | network |
| »» attack_vector | adjacent |
| »» attack_vector | local |
| »» attack_vector | physical |
| »» attack_complexity | low |
| »» attack_complexity | high |
| »» attack_requirements | none |
| »» attack_requirements | present |
| »» privileges_required | none |
| »» privileges_required | low |
| »» privileges_required | high |
| »» user_interaction | none |
| »» user_interaction | required |
| »» scope | unchanged |
| »» scope | changed |
| »» confidentiality | none |
| »» confidentiality | low |
| »» confidentiality | high |
| »» integrity | none |
| »» integrity | low |
| »» integrity | high |
| »» availability | none |
| »» availability | low |
| »» availability | high |
| »» vulnerable_confidentiality | none |
| »» vulnerable_confidentiality | low |
| »» vulnerable_confidentiality | high |
| »» vulnerable_integrity | none |
| »» vulnerable_integrity | low |
| »» vulnerable_integrity | high |
| »» vulnerable_availability | none |
| »» vulnerable_availability | low |
| »» vulnerable_availability | high |
| »» subsequent_confidentiality | none |
| »» subsequent_confidentiality | low |
| »» subsequent_confidentiality | high |
| »» subsequent_integrity | none |
| »» subsequent_integrity | low |
| »» subsequent_integrity | high |
| »» subsequent_availability | none |
| »» subsequent_availability | low |
| »» subsequent_availability | high |
| »» calculation_method | cvss_3_0_hackerone |
| »» calculation_method | cvss_3_1 |
| »» calculation_method | cvss_4_0 |
| »» calculation_method | manual |
Change State
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/state_changes" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "state-change",
"attributes": {
"message": "string",
"state": "new",
"original_report_id": 0,
"attachment_ids": []
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "state-change",
"attributes": {
"message": "string",
"state": "new",
"original_report_id": 0,
"attachment_ids": []
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/state_changes',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "state-change",
"attributes": {
"message": "string",
"state": "new",
"original_report_id": 0,
"attachment_ids": []
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/state_changes',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/state_changes");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"state-change\",\n \"attributes\": {\n \"message\": \"string\",\n \"state\": \"new\",\n \"original_report_id\": 0,\n \"attachment_ids\": []\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"state-change\",\n \"attributes\": {\n \"message\": \"string\",\n \"state\": \"new\",\n \"original_report_id\": 0,\n \"attachment_ids\": []\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/state_changes',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"state-change\",\n \"attributes\": {\n \"message\": \"string\",\n \"state\": \"new\",\n \"original_report_id\": 0,\n \"attachment_ids\": []\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/state_changes", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report state changed
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
POST /reports/{id}/state_changes
Changing the state of a report can be done through this endpoint. Closing a report as
resolved will automatically recognize the finder in the program's hall of fame and
reputation will be given. If a report is closed as N/A, Informative, or Spam, reputation
will be deducted from the finder's track record.
There is currently 1 feature missing in the state change API: the ability to invite the
finder of the duplicate to the original report. This feature will be implemented in a future
version of the API.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Allowed state transitions:
| Old value | New value |
|---|---|
| duplicate | new, triaged |
| editing | deleted, needs-more-info, new, not-applicable |
| informative | new, triaged |
| needs-more-info | duplicate, informative, new, not-applicable, pending-program-review, resolved, spam, triaged |
| new | duplicate, informative, needs-more-info, not-applicable, pending-program-review, resolved, spam, triaged |
| not-applicable | new, triaged |
| pending-program-review | duplicate, informative, needs-more-info, new, not-applicable, resolved, spam, triaged |
| needs-more-info, new, not-applicable | |
| resolved | new, triaged |
| spam | new, triaged |
| triaged | duplicate, informative, needs-more-info, new, not-applicable, pending-program-review, resolved, spam, triaged |
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the state of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» message | body | string | true | The message that will be posted. Required when the new state is needs-more-info, informative, or duplicate. |
| »» state | body | report-states | true | none |
| »» original_report_id | body | integer | false | The ID of the report to use as the original report. Only available when closing the report as duplicate. |
| »» attachment_ids | body | array | false | Array of attachment IDs. You can upload attachments here |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | state-change |
| »» state | new |
| »» state | pending-program-review |
| »» state | triaged |
| »» state | needs-more-info |
| »» state | resolved |
| »» state | not-applicable |
| »» state | informative |
| »» state | duplicate |
| »» state | spam |
| »» state | retesting |
Update Structured Scope
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/structured_scope" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": 0
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/structured_scope',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-structured-scope",
"attributes": {
"structured_scope_id": 0
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/structured_scope',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/structured_scope");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-structured-scope\",\n \"attributes\": {\n \"structured_scope_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-structured-scope\",\n \"attributes\": {\n \"structured_scope_id\": 0\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/structured_scope',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-structured-scope\",\n \"attributes\": {\n \"structured_scope_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/structured_scope", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
Updated structured scope
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
PUT /reports/{id}/structured_scope
Changing the structured scope of a report can be done through this endpoint. This API
endpoint cannot be used for reports that have been reported outside of the HackerOne
platform.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the structured scope of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» structured_scope_id | body | integer | true | The new structured scope that will be set on the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-structured-scope |
Add Summary
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/summaries" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-summary",
"attributes": {
"content": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-summary",
"attributes": {
"content": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/summaries',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-summary",
"attributes": {
"content": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/summaries',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/summaries");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-summary\",\n \"attributes\": {\n \"content\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-summary\",\n \"attributes\": {\n \"content\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/summaries',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-summary\",\n \"attributes\": {\n \"content\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/summaries", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
summary created
{
"id": "1337",
"type": "report-summary",
"attributes": {
"content": "There was a cross-site scripting vulnerability in our login form.",
"category": "team",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"attachments": {
"data": []
},
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
POST /reports/{id}/summaries
This API endpoint enables the user to create a report summary
for reports that are received by teams that the user is a part of.
A team can only include a single report summary. This API endpoint
cannot be used for reports that have been reported outside of the HackerOne
platform or reported to other teams.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information necessary to create a report summary. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» content | body | string | true | The content to be included in the report summary. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-summary |
Award Swag
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/swags" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"message": "string"
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"message": "string"
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/swags',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"message": "string"
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/swags',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/swags");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"message\": \"string\"\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"message\": \"string\"\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/swags',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"message\": \"string\"\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/swags", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
swag awarded
{
"id": "1337",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "W_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
POST /reports/{id}/swags
You can use this endpoint to award swag to the reporter of the provided report.
Required permissions: Reward Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information required to award swag. |
| » message | body | string | true | The public message posted on the report. This is always required. |
Update Title
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/title" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-title",
"attributes": {
"title": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-title",
"attributes": {
"title": "string"
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/title',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-title",
"attributes": {
"title": "string"
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/title',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/title");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-title\",\n \"attributes\": {\n \"title\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-title\",\n \"attributes\": {\n \"title\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/title',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-title\",\n \"attributes\": {\n \"title\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/title", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
title updated
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
},
"activities": {
"data": [
{
"type": "activity-comment",
"id": "445",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
},
{
"id": "1337",
"type": "activity-bug-resolved",
"attributes": {
"message": "Bug Resolved!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
},
"inboxes": {
"data": [
{
"id": "13",
"type": "inbox",
"attributes": {
"name": "HackerOne",
"type": "default"
}
},
{
"id": "65",
"type": "inbox",
"attributes": {
"name": "Custom Inbox number one",
"type": "custom"
}
}
]
},
"triggered_pre_submission_trigger": {
"data": {
"id": "1337",
"type": "trigger",
"attributes": {
"title": "Example Trigger"
}
}
},
"custom_field_values": {
"data": []
},
"automated_remediation_guidance": {
"data": {
"id": "1",
"type": "automated-remediation-guidance",
"attributes": {
"reference": "https://cwe.mitre.org/data/definitions/120.html",
"created_at": "2020-10-23T12:09:37.859Z"
}
}
},
"custom_remediation_guidance": {
"data": {
"id": "84",
"type": "custom-remediation-guidance",
"attributes": {
"message": "Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space.",
"created_at": "2020-10-26T08:47:23.296Z"
},
"relationships": {
"author": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example-2",
"name": "API Example 2",
"disabled": false,
"created_at": "2020-10-22T011:22:05.402Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
}
}
}
PUT /reports/{id}/title
Changing the title of a report through the HackerOne API can be useful to
programmatically batch update received reports in HackerOne. This API endpoint
cannot be used for reports that have been reported outside of the HackerOne
platform.
Required permissions: Report or Program Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the title of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» title | body | string | true | The new title that will be set on the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-title |
Transfer Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/transfer" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-transfer",
"attributes": {
"target_team_id": 0,
"no_notifications": true
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-transfer",
"attributes": {
"target_team_id": 0,
"no_notifications": true
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/transfer',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-transfer",
"attributes": {
"target_team_id": 0,
"no_notifications": true
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/transfer',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/transfer");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-transfer\",\n \"attributes\": {\n \"target_team_id\": 0,\n \"no_notifications\": true\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-transfer\",\n \"attributes\": {\n \"target_team_id\": 0,\n \"no_notifications\": true\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/transfer',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-transfer\",\n \"attributes\": {\n \"target_team_id\": 0,\n \"no_notifications\": true\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/transfer", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report transferred
{
"was_successful": true
}
PUT /reports/{id}/transfer
The program can transfer reports between parent and child programs.
You can use this endpoint to transfer the reports between parent and child programs.
IMPORTANT: When transferring reports references are being removed. Custom field values will also be removed, unless a custom field with the exact same label exists on the target team.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to transfer the report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» target_team_id | body | number | true | ID of the target team the reports should be transferred to. |
| »» no_notifications | body | boolean | false | If the action should create notifications. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-transfer |
Update Weakness
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/weakness" \
-X PUT \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": 0
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": 0
}
}
}
r = requests.put(
'https://api.hackerone.com/v1/reports/{id}/weakness',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report-weakness",
"attributes": {
"weakness_id": 0
}
}
}
result = RestClient::Request.execute(
method: :put,
url: 'https://api.hackerone.com/v1/reports/{id}/weakness',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/weakness");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("PUT");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report-weakness\",\n \"attributes\": {\n \"weakness_id\": 0\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report-weakness\",\n \"attributes\": {\n \"weakness_id\": 0\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/weakness',
{
method: 'PUT',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report-weakness\",\n \"attributes\": {\n \"weakness_id\": 0\n }\n }\n}"`))
req, err := http.NewRequest("PUT", "https://api.hackerone.com/v1/reports/{id}/weakness", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
assignee updated
{
"id": "77",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2019-08-20T14:26:19.286Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
"first_program_activity_at": "2019-08-20T14:26:20.531Z",
"last_program_activity_at": "2019-08-20T15:25:56.627Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": "2019-08-20T15:25:56.627Z",
"last_activity_at": "2019-08-20T15:25:56.627Z",
"cve_ids": []
},
"relationships": {
"weakness": {
"data": {
"id": "77",
"type": "weakness",
"attributes": {
"name": "Reliance on Reverse DNS Resolution for a Security-Critical Action",
"description": "The software performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.",
"external_id": "cwe-350",
"created_at": "2019-07-12T08:36:13.646Z"
}
}
}
}
}
PUT /reports/{id}/weakness
Changing the weakness of a report can be done through this endpoint.
This API endpoint cannot be used for reports that have been reported
outside of the HackerOne platform.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 404 Not Found response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to change the weakness of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» weakness_id | body | integer | true | The new weakness that will be set on the report. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report-weakness |
Get All Reports
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/reports',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/reports',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
reports found
{
"data": [
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"submitted_at": "2016-02-04T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"last_activity_at": null,
"last_public_activity_at": null,
"swag_awarded_at": null,
"disclosed_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"bounties": {
"data": []
}
}
},
{
"id": "1338",
"type": "report",
"attributes": {
"title": "CSRF in admin panel",
"state": "triaged",
"created_at": "2016-02-02T04:05:06.000Z",
"submitted_at": "2016-02-04T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": "2016-02-03T03:01:36.000Z",
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"issue_tracker_reference_id": "T554",
"issue_tracker_reference_url": "https://phabricator.tld/T554",
"cve_ids": []
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"bounties": {
"data": []
},
"inboxes": {
"data": [
{
"id": "13",
"type": "inbox",
"attributes": {
"name": "Security Program Inbox",
"type": "default"
}
},
{
"id": "79",
"type": "inbox",
"attributes": {
"name": "Custom Inbox",
"type": "custom"
}
}
]
}
}
},
"..."
],
"links": {
"self": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=1",
"next": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=2",
"last": "https://api.hackerone.com/v1/reports?filter%5Bprogram%5D%5B%5D=security&page%5Bnumber%5D=5"
}
}
GET /reports
Multiple report objects can be queried that meet certain filtering criteria by sending a GET request to the reports endpoint. When the request is successful, the API will respond with paginated report objects.
The following report relationships are included: reporter, collaborators, assignee (a user or group), weakness, program, severity, structured scope, bounties, custom field values and inboxes.
IMPORTANT: Either the filter parameter program or inbox_ids is required when using this endpoint.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| filter[program][] | query | array[string] | false | Filter by the program handles you want to fetch the reports for. Required if inbox_ids is not specified. |
| filter[inbox_ids][] | query | array[integer] | false | Filter by the inbox ids you want to fetch the reports for. Required if program is not specified. |
| filter[reporter][] | query | array[string] | false | Filter by the hacker's username you want to fetch the reports for. |
| filter[assignee][] | query | array[string] | false | Filter by the assignee's usernames, emails or group names you want to fetch the reports for. |
| filter[state][] | query | array[string] | false | Filter by current report state. |
| filter[id][] | query | array[integer] | false | Filter by report ID. |
| filter[weakness_id][] | query | array[integer] | false | Filter by weakness. |
| filter[severity][] | query | array[string] | false | Filter by the severity ratings you want to fetch the reports for. |
| filter[hacker_published] | query | boolean | false | Filter by reports that are published by hackers, depending on the value of the parameter. |
| filter[created_at__gt] | query | any(date-time) | false | Filter by reports that were created after the date specified. |
| filter[created_at__lt] | query | any(date-time) | false | Filter by reports that were created before the date specified. |
| filter[submitted_at__gt] | query | any(date-time) | false | Filter by reports that were submitted after the date specified. |
| filter[submitted_at__lt] | query | any(date-time) | false | Filter by reports that were submitted before the date specified. |
| filter[triaged_at__gt] | query | any(date-time) | false | Filter by reports that were triaged after the date specified. |
| filter[triaged_at__lt] | query | any(date-time) | false | Filter by reports that were triaged before the date specified. |
| filter[triaged_at__null] | query | boolean | false | Filter by reports that are triaged or not, depending on the value of this parameter. |
| filter[closed_at__gt] | query | any(date-time) | false | Filter by reports that were closed after the date specified. |
| filter[closed_at__lt] | query | any(date-time) | false | Filter by reports that were closed before the date specified. |
| filter[closed_at__null] | query | boolean | false | Filter by reports that are closed or not, depending on the value of this parameter. |
| filter[disclosed_at__gt] | query | any(date-time) | false | Filter by reports that were disclosed after the date specified. |
| filter[disclosed_at__lt] | query | any(date-time) | false | Filter by reports that were disclosed before the date specified. |
| filter[disclosed_at__null] | query | boolean | false | Filter by reports that are disclosed. |
| filter[reporter_agreed_on_going_public] | query | boolean | false | Filter by reports that have the hacker disclosure request. |
| filter[bounty_awarded_at__gt] | query | any(date-time) | false | Filter by reports that have a bounty awarded after the date specified. |
| filter[bounty_awarded_at__lt] | query | any(date-time) | false | Filter by reports that have a bounty awarded before the date specified. |
| filter[bounty_awarded_at__null] | query | boolean | false | Filter by reports that have a bounty awarded. |
| filter[swag_awarded_at__gt] | query | any(date-time) | false | Filter by reports that have swag awarded after the date specified. |
| filter[swag_awarded_at__lt] | query | any(date-time) | false | Filter by reports that have swag awarded before the date specified. |
| filter[swag_awarded_at__null] | query | boolean | false | Filter by reports that have swag awarded or not, depending on the value of this parameter. |
| filter[last_reporter_activity_at__gt] | query | any(date-time) | false | Filter by reports that received an update from the reporter after the date specified. |
| filter[last_reporter_activity_at__lt] | query | any(date-time) | false | Filter by reports that received an update from the reporter before the date specified. |
| filter[first_program_activity_at__gt] | query | any(date-time) | false | Filter by reports that received the first update from the program after the date specified. |
| filter[first_program_activity_at__lt] | query | any(date-time) | false | Filter by reports that received the first update from the program before the date specified. |
| filter[first_program_activity_at__null] | query | boolean | false | Filter by reports where the reporter received an update. |
| filter[last_program_activity_at__gt] | query | any(date-time) | false | Filter by reports that received an update from the program after the date specified. |
| filter[last_program_activity_at__lt] | query | any(date-time) | false | Filter by reports that received an update from the program before the date specified. |
| filter[last_activity_at__gt] | query | any(date-time) | false | Filter by reports that received an update after the date specified. |
| filter[last_activity_at__lt] | query | any(date-time) | false | Filter by reports that received an update before the date specified. |
| filter[last_public_activity_at__gt] | query | any(date-time) | false | Filter by reports that received a public update after the date specified. |
| filter[last_public_activity_at__lt] | query | any(date-time) | false | Filter by reports that received a public update after the date specified. |
| filter[keyword] | query | string | false | Filter reports by title and keywords. |
| filter[issue_tracker_reference_id] | query | string | false | Filter reports by issue tracker reference. |
| filter[issue_tracker_reference_id__null] | query | boolean | false | Filter by reports that have an issue tracker reference or not, depending on the value of this parameter. |
| filter[custom_fields][] | query | array[object] | false | Filter reports by a Custom Field Label and Value. See custom-field-input for an exampleof the input values |
| sort | query | any | false | The attributes and order to sort the reports on. |
| page[number] | query | integer | false | The page to retrieve from. The default is set to 1. |
| page[size] | query | integer | false | The number of objects per page (currently limited from 1 to 100). The default is set to 25. |
Detailed descriptions
sort: The attributes and order to sort the reports on.
This parameter may contain multiple attributes that the reports should be sorted on. Sorting is applied in the specified order of attributes. If an attribute should be sorted descending, prepend a hyphen (-).
The following attributes can be used for sorting: reports.swag_awarded_at, reports.bounty_awarded_at, reports.last_reporter_activity_at, reports.first_program_activity_at, reports.last_program_activity_at, reports.triaged_at, reports.created_at, reports.closed_at, reports.last_public_activity_at, reports.last_activity_at, and reports.disclosed_at.
Enumerated Values
| Parameter | Value |
|---|---|
| filter[state][] | new |
| filter[state][] | pending-program-review |
| filter[state][] | triaged |
| filter[state][] | needs-more-info |
| filter[state][] | resolved |
| filter[state][] | not-applicable |
| filter[state][] | informative |
| filter[state][] | duplicate |
| filter[state][] | spam |
| filter[state][] | retesting |
| filter[severity][] | none |
| filter[severity][] | low |
| filter[severity][] | medium |
| filter[severity][] | high |
| filter[severity][] | critical |
Create Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0,
"source": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0,
"source": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "report",
"attributes": {
"team_handle": "string",
"title": "string",
"vulnerability_information": "string",
"impact": "string",
"severity_rating": "none",
"weakness_id": 0,
"structured_scope_id": 0,
"source": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0,\n \"source\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0,\n \"source\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"report\",\n \"attributes\": {\n \"team_handle\": \"string\",\n \"title\": \"string\",\n \"vulnerability_information\": \"string\",\n \"impact\": \"string\",\n \"severity_rating\": \"none\",\n \"weakness_id\": 0,\n \"structured_scope_id\": 0,\n \"source\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report created
{
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": null,
"last_activity_at": null,
"issue_tracker_reference_url": "https://example.com/reference",
"cve_ids": [],
"source": null,
"reporter_agreed_on_going_public_at": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "287",
"type": "structured-scope",
"attributes": {
"asset_type": "URL",
"asset_identifier": "www.hackerone.com",
"eligible_for_bounty": true,
"eligible_for_submission": true,
"instruction": "This asset does not contain any highly confidential information.",
"max_severity": "critical",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"reference": "T12345",
"confidentiality_requirement": "medium",
"integrity_requirement": "high",
"availability_requirement": "medium"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
POST /reports
This API endpoint can be used to import known vulnerabilities into the
HackerOne platform to detect duplicates and to encourage having a central
vulnerability management system. When the API call is successful,
a report object will be returned.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| data | body | object | true | The information to create a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» team_handle | body | string | true | The handle of the team that the report is being submitted to. |
| »» title | body | string | true | The title of the report. |
| »» vulnerability_information | body | string | true | Detailed information about the vulnerability including the steps to reproduce as well as supporting material and references. |
| »» impact | body | string | true | The security impact that an attacker could achieve. |
| »» severity_rating | body | severity-ratings | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
| »» weakness_id | body | integer | false | The ID of the weakness object that describes the type of the potential issue. |
| »» structured_scope_id | body | integer | false | The ID of the structured scope object that describes the attack surface. |
| »» source | body | string | true | A free-form string defining the source of the report for tracking purposes. For example, "detectify", "rapid7" or "jira". |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | report |
| »» severity_rating | none |
| »» severity_rating | low |
| »» severity_rating | medium |
| »» severity_rating | high |
| »» severity_rating | critical |
Get Report
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/reports/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/reports/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/reports/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
report found
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2016-02-02T04:05:06.000Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": null,
"first_program_activity_at": null,
"last_program_activity_at": null,
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"source": null
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"collaborators": {
"data": [
{
"weight": 1,
"user": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
},
{
"weight": 1,
"user": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example 2",
"name": "API Example 2",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"reputation": 7,
"signal": 7,
"impact": 30
}
}
}
]
},
"assignee": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "member",
"name": "Member",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
}
}
},
"severity": {
"data": {
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
},
"structured_scope": {
"data": {
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "url",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
},
"activities": {
"data": [
{
"type": "activity-comment",
"id": "445",
"attributes": {
"message": "Comment!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
},
{
"id": "1337",
"type": "activity-bug-resolved",
"attributes": {
"message": "Bug Resolved!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": false
},
"relationships": {
"actor": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
]
},
"bounties": {
"data": []
},
"summaries": {
"data": []
},
"inboxes": {
"data": [
{
"id": "13",
"type": "inbox",
"attributes": {
"name": "HackerOne",
"type": "default"
}
},
{
"id": "65",
"type": "inbox",
"attributes": {
"name": "Custom Inbox number one",
"type": "custom"
}
}
]
},
"triggered_pre_submission_trigger": {
"data": {
"id": "1337",
"type": "trigger",
"attributes": {
"title": "Example Trigger"
}
}
},
"custom_field_values": {
"data": []
},
"automated_remediation_guidance": {
"data": {
"id": "1",
"type": "automated-remediation-guidance",
"attributes": {
"reference": "https://cwe.mitre.org/data/definitions/120.html",
"created_at": "2020-10-23T12:09:37.859Z"
}
}
},
"custom_remediation_guidance": {
"data": {
"id": "84",
"type": "custom-remediation-guidance",
"attributes": {
"message": "Check buffer boundaries if accessing the buffer in a loop and make sure you are not in danger of writing past the allocated space.",
"created_at": "2020-10-26T08:47:23.296Z"
},
"relationships": {
"author": {
"data": {
"id": "1338",
"type": "user",
"attributes": {
"username": "api-example-2",
"name": "API Example 2",
"disabled": false,
"created_at": "2020-10-22T011:22:05.402Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
}
}
}
}
GET /reports/{id}
A report object can be fetched by sending a GET request to a unique report object.
In case the request was successful, the API will respond with a
report object.
The following report relationships are included: reporter, collaborators, assignee (a user or group), program, weakness, severity, bounties, swag,activities, attachments, structured scope, summaries, triggered pre-submission trigger, custom field values, automated remediation guidance and custom remediation guidance.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
Update Reference
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/reports/{id}/issue_tracker_reference_id" \
-X POST \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d @- <<EOD
{
"data": {
"type": "issue-tracker-reference-id",
"attributes": {
"reference": "string",
"message": "string"
}
}
}
EOD
import requests
headers = {
'Content-Type': 'application/json',
'Accept': 'application/json'
}
data = {
"data": {
"type": "issue-tracker-reference-id",
"attributes": {
"reference": "string",
"message": "string"
}
}
}
r = requests.post(
'https://api.hackerone.com/v1/reports/{id}/issue_tracker_reference_id',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
json = data,
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Content-Type' => 'application/json',
'Accept' => 'application/json'
}
data = {
"data": {
"type": "issue-tracker-reference-id",
"attributes": {
"reference": "string",
"message": "string"
}
}
}
result = RestClient::Request.execute(
method: :post,
url: 'https://api.hackerone.com/v1/reports/{id}/issue_tracker_reference_id',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
payload: data,
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/reports/{id}/issue_tracker_reference_id");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("POST");
con.setRequestProperty("Content-Type", "application/json; utf-8");
con.setRequestProperty("Accept", "application/json");
con.setDoOutput(true);
String jsonInputString = "{\n \"data\": {\n \"type\": \"issue-tracker-reference-id\",\n \"attributes\": {\n \"reference\": \"string\",\n \"message\": \"string\"\n }\n }\n}";
try(OutputStream os = con.getOutputStream()) {
byte[] input = jsonInputString.getBytes("utf-8");
os.write(input, 0, input.length);
}
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let inputBody = "{\n \"data\": {\n \"type\": \"issue-tracker-reference-id\",\n \"attributes\": {\n \"reference\": \"string\",\n \"message\": \"string\"\n }\n }\n}";
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Content-Type', 'application/json'); headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/reports/{id}/issue_tracker_reference_id',
{
method: 'POST',
body: inputBody,
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"bytes"
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Content-Type": []string{"application/json"},
"Accept": []string{"application/json"},
}
data := bytes.NewBuffer([]byte(`"{\n \"data\": {\n \"type\": \"issue-tracker-reference-id\",\n \"attributes\": {\n \"reference\": \"string\",\n \"message\": \"string\"\n }\n }\n}"`))
req, err := http.NewRequest("POST", "https://api.hackerone.com/v1/reports/{id}/issue_tracker_reference_id", data)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
reference updated
{
"relationships": {
"id": "77",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2019-08-20T14:26:19.286Z",
"vulnerability_information": "...",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2019-08-20T14:26:20.531Z",
"first_program_activity_at": "2019-08-20T14:26:20.531Z",
"last_program_activity_at": "2019-08-20T15:25:56.627Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"last_public_activity_at": "2019-08-20T15:25:56.627Z",
"last_activity_at": "2019-08-20T15:25:56.627Z",
"cve_ids": [],
"source": null
},
"relationships": {
"activities": {
"data": [
{
"type": "activity-reference-id-added",
"id": "<id>",
"attributes": {
"message": "Reference Id Added!",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z",
"internal": true,
"reference": "T7413",
"reference_url": "https://example.com/T7413"
},
"relationships": {
"actor": {
"data": {
"id": "<id>",
"type": "user",
"attributes": {
"username": "api_user",
"name": null,
"disabled": false,
"created_at": "2019-10-14T13:59:49.563Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"signal": null,
"impact": null,
"reputation": null,
"bio": null,
"website": null,
"location": null,
"hackerone_triager": false
}
}
}
}
}
]
}
}
}
}
POST /reports/{id}/issue_tracker_reference_id
This API allows the user to set a reference to an external issue tracker.
A report can only hold 1 active reference at the same time. However, a log of previously added references can be found in the activities relationship on a report object. This API endpoint cannot be used for reports that have been reported outside of the HackerOne platform.
To begin setting up the integration with your issue tracker, check out the Integrations tab under your Program settings on HackerOne.com.
Required permissions: Report Management. You can manage the permissions of your API users through your organization's settings. Insufficient permissions will result in a 403 Forbidden response.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | integer | true | The ID of the report. |
| data | body | object | true | The information to update the reference of a report. |
| » type | body | string | true | none |
| » attributes | body | object | true | none |
| »» reference | body | string | true | The unique reference in the issue tracker. |
| »» message | body | string | false | The message that will be posted. |
Enumerated Values
| Parameter | Value |
|---|---|
| » type | issue-tracker-reference-id |
Users
Get User
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/users/{username}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/users/{username}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/users/{username}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/users/{username}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/users/{username}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/users/{username}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
user found
{
"id": "1634",
"username": "fransrosen",
"name": "Frans Rosén",
"reputation": 1337,
"disabled": false,
"signal": 7,
"impact": 30,
"created_at": "2015-13-37T04:05:06.000Z",
"participating_programs": {
"data": [
{
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2014-13-37T04:05:06.000Z",
"updated_at": "2014-13-37T04:05:06.000Z"
}
}
]
}
}
GET /users/{username}
A user object can be fetched by providing the username of the given user. When the request is successful, the API will respond with a user object
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| username | path | string | true | The HackerOne username of the user. |
Get User By ID
Code samples
# You can also use wget
curl "https://api.hackerone.com/v1/user_by_id/{id}" \
-X GET \
-u "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>" \
-H 'Accept: application/json'
import requests
headers = {
'Accept': 'application/json'
}
r = requests.get(
'https://api.hackerone.com/v1/user_by_id/{id}',
auth=('<YOUR_API_USERNAME>', '<YOUR_API_TOKEN>'),
headers = headers
)
print(r.json())
require 'rest-client'
require 'json'
headers = {
'Accept' => 'application/json'
}
result = RestClient::Request.execute(
method: :get,
url: 'https://api.hackerone.com/v1/user_by_id/{id}',
password: '<YOUR_API_TOKEN>',
user: '<YOUR_API_USERNAME>',
headers: headers
)
p JSON.parse(result)
URL obj = new URL("https://api.hackerone.com/v1/user_by_id/{id}");
HttpURLConnection con = (HttpURLConnection) obj.openConnection();
String userCredentials = "<YOUR_API_USERNAME>:<YOUR_API_TOKEN>";
String basicAuth = "Basic " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));
con.setRequestProperty ("Authorization", basicAuth);
con.setRequestMethod("GET");
try(BufferedReader br = new BufferedReader(
new InputStreamReader(con.getInputStream(), "utf-8"))) {
StringBuilder response = new StringBuilder();
String responseLine = null;
while ((responseLine = br.readLine()) != null) {
response.append(responseLine.trim());
}
System.out.println(response.toString());
}
let user = '<YOUR_API_USERNAME>';
let password = '<YOUR_API_TOKEN>';
let headers = new Headers();
headers.set('Authorization', 'Basic ' + btoa(user + ":" + password));
headers.set('Accept', 'application/json');
fetch('https://api.hackerone.com/v1/user_by_id/{id}',
{
method: 'GET',
headers: headers
})
.then(function(res) {
return res.json();
}).then(function(body) {
console.log(body);
});
package main
import (
"io/ioutil"
"log"
"net/http"
)
func main() {
headers := map[string][]string{
"Accept": []string{"application/json"},
}
req, err := http.NewRequest("GET", "https://api.hackerone.com/v1/user_by_id/{id}", nil)
req.Header = headers
req.SetBasicAuth("<YOUR_API_USERNAME>", "<YOUR_API_TOKEN>")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
log.Println(string(body))
}
user found
{
"id": "1634",
"username": "fransrosen",
"name": "Frans Rosén",
"reputation": 1337,
"disabled": false,
"signal": 7,
"impact": 30,
"created_at": "2015-13-37T04:05:06.000Z",
"participating_programs": {
"data": [
{
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2014-13-37T04:05:06.000Z",
"updated_at": "2014-13-37T04:05:06.000Z"
}
}
]
}
}
GET /user_by_id/{id}
A user object can be fetched by providing the id of the given user. When the request is successful, the API will respond with a user object
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| id | path | string | true | The HackerOne id of the user. |