Hacker Reference
The following section contains a complete reference of all the objects that can be returned through the API. Objects that have been explained earlier in this documentation are not included. The objects in this section are never top level resources by themselves and will only be returned as sub resources.
All objects are made up of an id and a type attribute. With those, additional attributes and relationships can be specified. An example how the data schema looks like, take a look at the response structure or the response object. Additional reading can be done at jsonapi.org.
activity
{
"id": "string",
"type": "string",
"attributes": {
"report_id": "string",
"message": "string",
"internal": true,
"created_at": "2019-08-24T14:15:22Z",
"updated_at": "2019-08-24T14:15:22Z"
},
"relationships": {
"actor": {
"data": {}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
}
These objects represent an action that was performed on a report. Activities come in many sub types that can have additional attributes.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the activity. |
| type | string | true | Indicates what kind of activity it is. |
| attributes | object | true | none |
| » report_id | string | false | The report associated with the activity. |
| » message | string¦null | true | The comment associated with the activity. May be updated through the HackerOne interface. Markdown is not parsed. |
| » internal | boolean | true | Indicates if this activity can only be read by Program users and external users that were invited to the report. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| » updated_at | string(date-time) | true | The date and time the object was updated. Formatted according to ISO 8601. |
| relationships | object | false | none |
| » actor | object | false | The author of the activity. |
| »» data | object | false | none |
oneOf - discriminator: user.type
| Name | Type | Required | Description |
|---|---|---|---|
| »»» anonymous | user | false | User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account. |
xor
| Name | Type | Required | Description |
|---|---|---|---|
| »»» anonymous | program | false | A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program. |
continued
| Name | Type | Required | Description |
|---|---|---|---|
| » attachments | object | false | A list of Attachment objects added to the activity. |
| »» data | [attachment] | false | [Users can add attachments when they file a report or when they interact with a report. Attachments may contain dangerous proof of concepts and should be handled with caution. ] |
attachment
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
Users can add attachments when they file a report or when they interact with a report. Attachments may contain dangerous proof of concepts and should be handled with caution.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the attachment. |
| type | string | true | none |
| attributes | object | true | none |
| » file_name | string | true | The file name of the attachment. |
| » content_type | string | true | The content type of the attachment. The content type is derived from the contents and extension of the file. |
| » file_size | integer | true | The file size of the attachment in bytes. |
| » expiring_url | string | true | A URL to download the attachment. The URL will automatically expire after 60 minutes. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | attachment |
bounty
{
"id": "1337",
"type": "bounty",
"attributes": {
"amount": "500.00",
"bonus_amount": "50.00",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
When a program pays a bounty to the hacker, a bounty object is created. A report may contain multiple bounty objects, one for each time a bounty was awarded. The hacker that reported the vulnerability is the user that received the bounty.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the bounty. |
| type | string | true | none |
| attributes | object | true | none |
| » amount | string¦null | false | Amount in USD. |
| » bonus_amount | string¦null | false | Bonus amount in USD. |
| » awarded_amount | string¦null | false | Amount in awarded currency. |
| » awarded_bonus_amount | string¦null | false | Bonus amount in awarded currency. |
| » awarded_currency | string¦null | false | The currency used to award the bounty and bonus. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | bounty |
earning
{
"id": 9,
"type": "earning-bounty-earned",
"attributes": {
"amount": 150,
"created_at": "2015-02-02T04:05:06.000Z"
}
}
An earning object
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the earning object |
| type | any | false | none |
| attributes | object | false | none |
| » amount | number | true | The amount that was earned |
| required | any | false | none |
| relationships | object | false | none |
| » team | object | false | The program where the earning was earned. |
| »» data | program | false | A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program. |
| » bounty | object | false | The bounty object for the earning, in the case of earning-bounty-earned type |
| »» data | bounty | false | When a program pays a bounty to the hacker, a bounty object is created. A report may contain multiple bounty objects, one for each time a bounty was awarded. The hacker that reported the vulnerability is the user that received the bounty. |
| » pentester | object | false | The pentester object for the earning, in the case of earning-pentest-completed |
| »» data | pentester | false | A pentester object represents a completion of a pentest by a user. |
| » report_retest_user | object | false | The report_retest_user object for the earning, in the case of earning-retest-completed |
| »» data | report-retest-user | false | A report-retest-user object represents a completion of a retest by a user. |
Enumerated Values
| Property | Value |
|---|---|
| type | earning-bounty-earned |
| type | earning-retest-completed |
| type | earning-pentest-completed |
group
{
"id": "1337",
"type": "group",
"attributes": {
"name": "Admin",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"user_management",
"report_management"
]
}
}
A group represents a set of users. A group is used to delegate permissions for the users in it. It can also be assigned to one or multiple reports.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the group. |
| type | string | true | none |
| attributes | object | true | none |
| » name | string | true | The name of the group. |
| » permissions | [string] | true | The permissions of the group. Possible values are reward_management, program_management, user_management, and report_management. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | group |
hacktivity_item
{
"data": [
{
"id": 689314,
"type": "report",
"attributes": {
"title": "Project Template functionality can be used to copy private project data",
"substate": "Resolved",
"url": "https://hackerone.com/reports/689314",
"disclosed_at": "2019-11-27T10:02:44.156Z",
"cve_ids": [],
"cwe": "Privilege Escalation",
"severity_rating": "critical",
"votes": 438,
"total_awarded_amount": 12000,
"latest_disclosable_action": "Activities::ReportBecamePublic",
"latest_disclosable_activity_at": "2019-11-27T10:02:44.181Z",
"submitted_at": "2019-09-06T05:40:41.068Z",
"disclosed": true
},
"relationships": {
"report_generated_content": {
"data": {
"type": "report_generated_content",
"attributes": {
"hacktivity_summary": "Here you could see a generated summary."
}
}
},
"reporter": {
"data": {
"type": "user",
"attributes": {
"name": "Jobert Abma",
"username": "jobert"
}
}
},
"program": {
"data": {
"type": "program",
"attributes": {
"handle": "gitlab",
"name": "GitLab",
"currency": "usd",
"url": "https://hackerone.com/gitlab"
}
}
}
}
}
]
}
A hacktivity_item object contains a limited set of information from a report.
Hacktivity items can be refined with a set of available filters and return
meta information such as state, bounty awards, the program and reporter.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the report. |
| type | string | true | none |
| attributes | object | true | none |
| » title | string¦null | false | The title of the report. |
| » substate | report-states | false | The current state of the report. |
| » url | string(url)¦null | false | The URL of the report. |
| » disclosed_at | string(date-time)¦null | false | The date and time the report was disclosed. Formatted according to ISO 8601. |
| » submitted_at | string(date-time)¦null | false | The date and time the report was submitted. Formatted according to ISO 8601. |
| » disclosed | boolean | true | Whether the report has been disclosed or not. |
| » cve_ids | [string]¦null | false | Assigned CVE id(s) for this report |
| » cwe | string¦null | false | The Weakness for this report. |
| » severity_rating | string¦null | false | The severity rating for this report. |
| » votes | integer¦null | false | The number of upvotes for this report. |
| » total_awarded_amount | integer¦null | false | The total bounty amount awarded for this report. |
| » latest_disclosable_action | string¦null | false | The type of the latest public activity that on this report. |
| » latest_disclosable_activity_at | string(date-time)¦null | false | The date and time that the latest public activity was posted on the report. Formatted according to ISO 8601. |
| relationships | object | true | none |
| » report_generated_content | object | false | The generated report summary. |
| »» data | report_generated_content | false | A report_generated_content object contains the AI summary of a report. |
| » reporter | object | false | The user that created the report. This object contains the user's username and name. |
| »» data | user | false | User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account. |
| » program | object | true | The program that received the report. |
| »» data | program_small | false | A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program. |
Enumerated Values
| Property | Value |
|---|---|
| type | report |
links
{
"data": [
{
"id": "1337",
"type": "some-object",
"attributes": {
"some_attribute": "some value"
},
"relationships": {
"some_relationship": {
"data": {
"id": "1337",
"type": "some-other-object",
"attributes": {
"some_attribute": "some value"
}
}
}
}
}
],
"links": {
"prev": "https://api.hackerone.com/v1/hackers/reports/1336",
"self": "https://api.hackerone.com/v1/hackers/reports/1337",
"next": "https://api.hackerone.com/v1/hackers/reports/1338"
}
}
When querying for multiple objects, the client needs to know how to query the next page. This kind of data is included in this attribute. In case there is no additional meta data, this attribute is not returned by the API.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| attributes | object | false | none |
| » prev | string | false | This attribute contains a URL to the previous page or previous resource when the resource or resources are paginated. |
| » self | string | false | This attribute contains a URL to the resource itself when it can be queried as a top level resource. At this moment, only report objects can be queried as individual resources. |
| » next | string | false | This attribute contains the URL to the next page or next resource when the resource or resources are paginated. |
payout
{
"amount": 100,
"paid_out_at": "2016-02-02T04:05:06.000Z",
"reference": "<reference>",
"payout_provider": "PayPal",
"status": "sent"
}
A payout object
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| amount | number | false | the amount in USD that was paid out |
| paid_out_at | date-time | false | The date and time the payout was created. Formatted according to ISO 8601. |
| reference | string | false | none |
| payout_provider | string | false | none |
| status | string | false | none |
pentest
{
"id": "123",
"type": "pentest",
"attributes": {
"name": "Name of the pentest",
"description": "This is the description"
}
}
A pentest object
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the pentest object |
| type | string | false | none |
| attributes | object | false | none |
| » name | string | false | The name of the pentest |
| » description | string | false | The description of the pentest |
| required | any | false | none |
Enumerated Values
| Property | Value |
|---|---|
| type | pentest |
pentester
{
"id": "123",
"type": "pentester",
"attributes": {
"completed_at": "2016-02-02T04:05:06.000Z",
"award_amount": "4000.00"
}
}
A pentester object represents a completion of a pentest by a user.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the pentester object |
| type | string | false | none |
| attributes | object | false | none |
| » amount | number | true | The amount that was earned by the user |
| » completed_at | string(date-time) | false | The date and time the user completed the pentest. Formatted according to ISO 8601. |
| required | any | false | none |
| relationships | object | false | none |
| » pentest | object | false | The pentest object completed by the user |
| »» data | pentest | false | A pentest object |
Enumerated Values
| Property | Value |
|---|---|
| type | pentester |
program
{
"id": 9,
"type": "program",
"attributes": {
"handle": "acme",
"name": "acme",
"currency": "usd",
"profile_picture": "/assets/global-elements/add-team.png",
"submission_state": "open",
"triage_active": false,
"state": "public_mode",
"started_accepting_at": null,
"number_of_reports_for_user": 0,
"number_of_valid_reports_for_user": 0,
"bounty_earned_for_user": 0,
"last_invitation_accepted_at_for_user": null,
"bookmarked": false,
"allows_bounty_splitting": false,
"offers_bounties": true,
"open_scope": true,
"fast_payments": true,
"gold_standard_safe_harbor": false
},
"relationships": {
"structured_scopes": {
"data": []
}
}
}
A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the program. |
| type | string | true | none |
| attributes | object | true | none |
| » handle | string | true | The handle of the program. Handles are unique and scoped under the same namespace as user usernames. |
| » name | string | true | The name of the program. |
| » currency | string¦null | true | The currency used by the program for payments. |
| » profile_picture | string(uri) | true | The profile picture of the program. |
| » submission_state | string | true | The submission state of the program. |
| » triage_active | boolean¦null | true | Indicates if the program is actively triaging. |
| » state | string¦null | true | The state of the program. |
| » started_accepting_at | string(date-time)¦null | true | The date and time the program started accepting submissions. |
| » number_of_reports_for_user | integer¦null | true | The number of reports submitted by the user. |
| » number_of_valid_reports_for_user | integer¦null | true | The number of valid reports submitted by the user. |
| » bounty_earned_for_user | number¦null | true | The total bounty earned by the user. |
| » last_invitation_accepted_at_for_user | string(date-time)¦null | true | The date and time the user last accepted an invitation. |
| » bookmarked | boolean¦null | true | Indicates if the program is bookmarked by the user. |
| » allows_bounty_splitting | boolean¦null | true | Indicates if the program allows bounty splitting (collaboration). |
| » offers_bounties | boolean¦null | true | Indicates if the program offers bounties. |
| » open_scope | boolean¦null | true | Indicates if the program has an open scope policy. |
| » fast_payments | boolean¦null | true | Indicates if the program commits to fast payouts. |
| » gold_standard_safe_harbor | boolean¦null | true | Indicates if the program is enrroled in the Gold Standard Safe Harbor. |
| relationships | object | false | none |
| » structured_scopes | object | false | The assets of the program, which is used to determine whether a security vulnerability is within the scope of said program. |
| »» data | [structured-scope] | false | [A StructuredScope object represents an asset defined by the program. The scope on a report was initially provided by the hacker, but may be reviewed and corrected by the program. ] |
Enumerated Values
| Property | Value |
|---|---|
| type | program |
program_small
{
"id": "1337",
"type": "program",
"attributes": {
"handle": "security"
}
}
A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the program. |
| type | string | true | none |
| attributes | object | true | none |
| » handle | string | true | The handle of the program. Handles are unique and scoped under the same namespace as user usernames. |
Enumerated Values
| Property | Value |
|---|---|
| type | program |
report
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2021-06-30T09:59:37.783Z",
"vulnerability_information": "Soo much vuln\n\n## Impact\n\nSoo much impact",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2021-06-30T09:59:38.294Z",
"first_program_activity_at": "2021-06-30T09:59:38.294Z",
"last_program_activity_at": "2021-06-30T09:59:38.294Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"reporter_agreed_on_going_public_at": null,
"last_public_activity_at": "2021-06-30T09:59:38.294Z",
"last_activity_at": "2021-06-30T09:59:38.294Z",
"cve_ids": []
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "hacker",
"name": "Hacker",
"disabled": false,
"created_at": "2021-05-28T11:27:05.082Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"bio": "Hacker.",
"website": "https://example.com",
"location": "Hackland",
"hackerone_triager": false
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2021-06-25T10:04:59.678Z"
}
}
},
"severity": {
"data": {
"id": "74",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2021-06-30T09:59:38.029Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2021-05-28T11:26:59.604Z"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
}
A report object contains the information that hackers submitted to a program, the interactions the program users had with the report, and all additional meta information like bounties, swag, and internal references.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the report. |
| type | string | true | none |
| attributes | object | true | none |
| » title | string | true | The title of the report. May be updated through the HackerOne interface. |
| » vulnerability_information | string | false | The raw report's vulnerability information. Markdown is not parsed. |
| » state | report-states | true | The report its current state. May be updated through the HackerOne interface or the HackerOne API. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| » triaged_at | string(date-time)¦null | true | The date and time the report was triaged. This attribute is reset when the report was reopened after it was triaged. Formatted according to ISO 8601. |
| » closed_at | string(date-time)¦null | true | The date and time the report was closed. This attribute is reset when the report was reopened after it was closed. Formatted according to ISO 8601. |
| » last_reporter_activity_at | string(date-time)¦null | true | The date and time that the most recent reporter activity was posted on the report. Formatted according to ISO 8601. |
| » first_program_activity_at | string(date-time)¦null | true | The date and time that the first program activity was posted on the report. Formatted according to ISO 8601. |
| » last_program_activity_at | string(date-time)¦null | true | The date and time that the most recent program activity was posted on the report. Formatted according to ISO 8601. |
| » last_activity_at | string(date-time)¦null | true | The date and time that the most recent activity was posted on the report. Formatted according to ISO 8601. |
| » last_public_activity_at | string(date-time)¦null | true | The date and time that the most recent public activity was posted on the report. Formatted according to ISO 8601. |
| » bounty_awarded_at | string(date-time)¦null | true | The date and time that the most recent bounty was awarded on the report. Formatted according to ISO 8601. |
| » swag_awarded_at | string(date-time)¦null | true | The date and time that the most recent swag was awarded on the report. Formatted according to ISO 8601. |
| » disclosed_at | string(date-time)¦null | true | The date and time the report was disclosed. Formatted according to ISO 8601. |
| » reporter_agreed_on_going_public_at | string(date-time)¦null | true | The date and time the reporter agreed for the public disclosure. Formatted according to ISO 8601. |
| » cve_ids | [string] | false | An assigned CVE id(s) for this report |
| relationships | object | true | none |
| » program | object | true | The program that received the report. |
| »» data | program_small | false | A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program. |
| » attachments | object | false | A list of Attachment objects that the reporter added to the report. |
| »» data | [attachment] | false | [Users can add attachments when they file a report or when they interact with a report. Attachments may contain dangerous proof of concepts and should be handled with caution. ] |
| » swag | object | false | A list of Swag objects that were awarded to the reporter. |
| »» data | [swag] | false | [Besides a financial reward, which is called a bounty, programs can award swag. Report objects may contain multiple swag objects, one for each time swag was awarded. ] |
| » weakness | object | false | The Weakness object of the report provided by the reporter or team. |
| »» data | weakness | false | A Weakness object represents the type of weakness the hacker submitted to a program. The weakness was initially provided by the hacker, but may be reviewed and corrected by the program. |
| » structured_scope | object | false | The StructuredScope object of the report provided by the reporter or team. |
| »» data | structured-scope | false | A StructuredScope object represents an asset defined by the program. The scope on a report was initially provided by the hacker, but may be reviewed and corrected by the program. |
| » severity | object | false | The Severity object of the report provided by the reporter or team. |
| »» data | severity | false | A severity object represents the severity of a report, if provided by the reporter or a team member. |
| » reporter | object | false | The user that created the report. This object contains the user's reputation, signal, and impact metrics. |
| »» data | user | false | User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account. |
| » activities | object | false | A list of Activity objects that can be used to generate a timeline of changes. Activities are ordered by most recent first. |
| »» data | [activity] | false | [These objects represent an action that was performed on a report. Activities come in many sub types that can have additional attributes. ] |
| » bounties | object | false | A list of Bounty objects that were awarded to the reporter. |
| »» data | [bounty] | false | [When a program pays a bounty to the hacker, a bounty object is created. A report may contain multiple bounty objects, one for each time a bounty was awarded. The hacker that reported the vulnerability is the user that received the bounty. ] |
| » summaries | object | false | A list of Report Summary objects that were added to the report by the reporter and team. |
| »» data | [report-summary] | false | [Before a report is disclosed, the program, the HackerOne Triage team and hacker may add a summary. A report can have only one summary per party. Unlike activities, summaries can be edited through HackerOne indefinitely. Triage summaries are only visible to team members and the HackerOne Triage team. ] |
Enumerated Values
| Property | Value |
|---|---|
| type | report |
report_generated_content
{
"id": "123",
"type": "report_generated_content",
"attributes": {
"hacktivity_summary": "Oh yes it is"
}
}
A report_generated_content object contains the AI summary of a report.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the report_generated_content object |
| type | any | false | none |
| attributes | object | false | none |
| » hacktivity_summary | string¦null | false | The generated report summary. |
| » required | any | false | none |
| required | any | false | none |
report-retest
{
"id": "123",
"type": "report-retest"
}
A report-retest object
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the report-retest object |
| type | string | false | none |
| attributes | object | false | none |
| required | any | false | none |
| relationships | object | false | none |
| » report | object | false | The retested report |
| »» data | report | false | A report object contains the information that hackers submitted to a program, the interactions the program users had with the report, and all additional meta information like bounties, swag, and internal references. |
Enumerated Values
| Property | Value |
|---|---|
| type | report-retest |
report-retest-user
{
"id": "1223",
"type": "report-retest-user",
"attributes": {
"completed_at": "2016-02-02T04:05:06.000Z"
}
}
A report-retest-user object represents a completion of a retest by a user.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the report-retest-user object |
| type | string | false | none |
| attributes | object | false | none |
| » completed_at | string(date-time) | false | The date and time the user completed the retest. Formatted according to ISO 8601. |
| required | any | false | none |
| relationships | object | false | none |
| » report_retest | object | false | The retest object completed by the user |
| »» data | report-retest | false | A report-retest object |
Enumerated Values
| Property | Value |
|---|---|
| type | report-retest-user |
report-states
"new"
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| report-states | string | false | none |
Enumerated Values
| Property | Value |
|---|---|
| report-states | new |
| report-states | pending-program-review |
| report-states | triaged |
| report-states | needs-more-info |
| report-states | resolved |
| report-states | not-applicable |
| report-states | informative |
| report-states | duplicate |
| report-states | spam |
| report-states | retesting |
report-summary
{
"id": "1337",
"type": "report-summary",
"attributes": {
"content": "There was a cross-site scripting vulnerability in our login form.",
"category": "team",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
Before a report is disclosed, the program, the HackerOne Triage team and hacker may add a summary. A report can have only one summary per party. Unlike activities, summaries can be edited through HackerOne indefinitely. Triage summaries are only visible to team members and the HackerOne Triage team.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the report summary. |
| type | string | true | none |
| attributes | object | true | none |
| » content | string | true | The raw summary of the report. Markdown is not parsed. |
| » category | string | true | The involved party that wrote the summary. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| » updated_at | string(date-time) | true | The date and time the object was last updated. Formatted according to ISO 8601. |
| relationships | object | true | none |
| » user | object | false | The author that added the summary to the report. |
| »» data | user | false | User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account. |
Enumerated Values
| Property | Value |
|---|---|
| type | report-summary |
| category | researcher |
| category | team |
| category | triage |
severity
{
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
A severity object represents the severity of a report, if provided by the reporter or a team member.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the severity. |
| type | string | true | none |
| attributes | object | true | none |
| » rating | severity-ratings | true | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
| » author_type | string | true | The involved party that provided the severity. |
| » user_id | integer | true | The unique id of the user who created the object. |
| » score | number¦null | false | The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). Only present if CVSS metrics were provided. |
| » attack_vector | string¦null | false | A CVSS metric that reflects the context by which vulnerability exploritation is possible. |
| » attack_complexity | string | false | A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. |
| » privileges_required | string | false | A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. |
| » user_interaction | string | false | A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component. |
| » scope | string¦null | false | A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component. |
| » confidentiality | string | false | A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. |
| » integrity | string | false | A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability. |
| » availability | string | false | A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | severity |
| author_type | User |
| author_type | Team |
| attack_vector | network |
| attack_vector | adjacent |
| attack_vector | local |
| attack_vector | physical |
| attack_complexity | low |
| attack_complexity | high |
| privileges_required | none |
| privileges_required | low |
| privileges_required | high |
| user_interaction | none |
| user_interaction | required |
| scope | unchanged |
| scope | changed |
| confidentiality | none |
| confidentiality | low |
| confidentiality | high |
| integrity | none |
| integrity | low |
| integrity | high |
| availability | none |
| availability | low |
| availability | high |
severity-ratings
"none"
The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| severity-ratings | string | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
Enumerated Values
| Property | Value |
|---|---|
| severity-ratings | none |
| severity-ratings | low |
| severity-ratings | medium |
| severity-ratings | high |
| severity-ratings | critical |
structured-scope
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
A StructuredScope object represents an asset defined by the program. The scope on a report was initially provided by the hacker, but may be reviewed and corrected by the program.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the scope. |
| type | string | true | none |
| attributes | object | true | none |
| » asset_identifier | string | true | The identifier of the asset. |
| » asset_type | string | true | The type of the asset. |
| » eligible_for_bounty | boolean | true | If the asset is eligible for bounty. |
| » eligible_for_submission | boolean | true | If the asset is eligible for submission. |
| » instruction | string¦null | false | The raw intruction of the asset provided by the program. Markdown is not parsed. |
| » confidentiality_requirement | any | false | A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. |
| » integrity_requirement | any | false | A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. |
| » availability_requirement | any | false | A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. |
| » max_severity | any | true | The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| » updated_at | string(date-time) | true | The date and time the object was updated. Formatted according to ISO 8601. |
| » reference | string¦null | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Property | Value |
|---|---|
| type | structured-scope |
| confidentiality_requirement | none |
| confidentiality_requirement | low |
| confidentiality_requirement | medium |
| confidentiality_requirement | high |
| integrity_requirement | none |
| integrity_requirement | low |
| integrity_requirement | medium |
| integrity_requirement | high |
| availability_requirement | none |
| availability_requirement | low |
| availability_requirement | medium |
| availability_requirement | high |
| max_severity | none |
| max_severity | low |
| max_severity | medium |
| max_severity | high |
| max_severity | critical |
swag
{
"id": "1337",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "W_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
Besides a financial reward, which is called a bounty, programs can award swag. Report objects may contain multiple swag objects, one for each time swag was awarded.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the swag. |
| type | string | true | none |
| attributes | object | true | none |
| » sent | boolean | true | Indicates whether the swag has been marked as sent. Swag can be marked as sent through the HackerOne interface. |
| » created_at | string(data-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| relationships | object | false | none |
| » user | object | true | none |
| »» data | user | false | The user the swag was awarded to. |
| » address | object | true | none |
| »» data | address | false | The user's address to send the swag to. |
Enumerated Values
| Property | Value |
|---|---|
| type | swag |
user
{
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the user. |
| type | string | true | none |
| attributes | object | true | none |
| » disabled | boolean | true | Indicates if the user is disabled. |
| » username | string | true | The username of the user. Usernames are unique and scoped under the same namespace as program handles. |
| » name | string | true | The name of the user. A name may be empty and is free-format. |
| » profile_picture | object | true | An object that holds URLs to different profile picture sizes. |
| »» 62x62 | string | true | none |
| »» 82x82 | string | true | none |
| »» 110x110 | string | true | none |
| »» 260x260 | string | true | none |
| » bio | string¦null | false | The user's biography, as provided by the user. |
| » website | string¦null | false | The user's website, as provided by the user. |
| » location | string¦null | false | The user's location, as provided by the user. |
| » reputation | number¦null | false | The reputation of the user. Read more about how this number is calculated href="https://www.hackerone.com/blog/introducing-reputation">here. This attribute is only included in the reporter relationship of a report object. |
| » signal | number¦null | false | The signal of the user. This number ranges from -10 to 7. The closer to 7, the higher the average submission quality of the user. This attribute is only included in the reporter relationship of a report object. Learn more about how this number is calculated href="https://www.hackerone.com/blog/introducing-signal-and-impact">here. |
| » impact | number¦null | false | The impact of the user. This number ranges from 0 to 50. The closer to 50, the higher the average severity of the user's reports is. This attribute is only included in the reporter relationship of a report object. Learn more about how this number is calculated href="https://www.hackerone.com/blog/introducing-signal-and-impact">here. |
| » hackerone_triager | boolean¦null | false | Indicates if the user is a hackerone triager. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| relationships | object | false | none |
| » participating_programs | object | false | none |
| »» data | [object] | false | List of private programs that you manage where this user is invited to. This attribute is only included when making use of the User > Read endpoint. |
Enumerated Values
| Property | Value |
|---|---|
| type | user |
weakness
{
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"created_at": "2016-02-02T04:05:06.000Z",
"external_id": "cwe-352"
}
}
A Weakness object represents the type of weakness the hacker submitted to a program. The weakness was initially provided by the hacker, but may be reviewed and corrected by the program.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the weakness. |
| type | string | true | none |
| attributes | object | false | none |
| » name | string | true | The name of the weakness. |
| » description | string | true | The raw description of the weakness. Markdown is not parsed. |
| » external_id | string | true | The weakness' external reference to CWE or CAPEC. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | weakness |
address
{
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "W_Large",
"phone_number": "+1-510-000-0000"
}
}
This object contains the postal address for the delivery of awarded swag.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the address. |
| type | string | true | none |
| attributes | object | true | none |
| » name | string | true | none |
| » street | string | true | none |
| » city | string | true | none |
| » postal_code | string | true | none |
| » state | string | true | none |
| » country | string | true | none |
| » tshirt_size | string | false | none |
| » phone_number | string | false | none |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | address |
| tshirt_size | M_Small |
| tshirt_size | M_Medium |
| tshirt_size | M_Large |
| tshirt_size | M_XLarge |
| tshirt_size | M_XXLarge |
| tshirt_size | W_Small |
| tshirt_size | W_Medium |
| tshirt_size | W_Large |
| tshirt_size | W_XLarge |
| tshirt_size | W_XXLarge |