Hacker Reference
The following section contains a complete reference of all the objects that can be returned through the API. Objects that have been explained earlier in this documentation are not included. The objects in this section are never top level resources by themselves and will only be returned as sub resources.
All objects are made up of an id and a type attribute. With those, additional attributes and relationships can be specified. An example how the data schema looks like, take a look at the response structure or the response object. Additional reading can be done at jsonapi.org.
activity
{
"id": "string",
"type": "string",
"attributes": {
"report_id": "string",
"message": "string",
"internal": true,
"created_at": "2019-08-24T14:15:22Z",
"updated_at": "2019-08-24T14:15:22Z"
},
"relationships": {
"actor": {
"data": {}
},
"attachments": {
"data": [
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
]
}
}
}
These objects represent an action that was performed on a report. Activities come in many sub types that can have additional attributes.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the activity. |
| type | string | true | Indicates what kind of activity it is. |
| attributes | object | true | none |
| » report_id | string | false | The report associated with the activity. |
| » message | string¦null | true | The comment associated with the activity. May be updated through the HackerOne interface. Markdown is not parsed. |
| » internal | boolean | true | Indicates if this activity can only be read by Program users and external users that were invited to the report. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| » updated_at | string(date-time) | true | The date and time the object was updated. Formatted according to ISO 8601. |
| relationships | object | false | none |
| » actor | object | false | The author of the activity. |
| »» data | object | false | none |
oneOf - discriminator: user.type
| Name | Type | Required | Description |
|---|---|---|---|
| »»» anonymous | user | false | User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account. |
xor
| Name | Type | Required | Description |
|---|---|---|---|
| »»» anonymous | program | false | A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program. |
continued
| Name | Type | Required | Description |
|---|---|---|---|
| » attachments | object | false | A list of Attachment objects added to the activity. |
| »» data | [attachment] | false | [Users can add attachments when they file a report or when they interact with a report. Attachments may contain dangerous proof of concepts and should be handled with caution. ] |
asset-enrichment-submission
{
"id": "1",
"type": "asset-enrichment-submission",
"attributes": {
"identifier": "hackerone.com",
"description": "this is a description",
"asm_tag_name": "tag1",
"team_handle": "security",
"status": "in_review",
"created_at": "2022-10-02T04:05:06.000Z"
}
}
An asset enrichment submission object contains the information that is associated with an asset enrichment submission
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the asset-enrichment-submission. |
| type | string | true | none |
| attributes | object | true | none |
| » identifier | string | true | The identifier of the asset for which the enrichment is being submitted for. |
| » team_handle | string | true | The handle of the team that the asset relates to. |
| » status | string | true | The returned status field can be either “in_review” or “duplicate”. When the status is duplicate it means the asset already has that specific tag. |
| » description | string¦null | false | An optional description for additional information regarding the enrichment submission. |
| » asm_tag_name | string | true | The name of the tag submitted. |
| » created_at | string(date-time) | true | The date and time the asset enrichment submission was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | asset-enrichment-submission |
asset-tag
{
"data": [
{
"id": "2",
"type": "asset-tag",
"attributes": {
"name": "test"
}
}
],
"links": {}
}
An asset tag object contains the information that is associated to an asset tag such as its name.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the asset tag. |
| type | string | true | none |
| attributes | object | false | none |
| » name | string | true | The name of the asset tag |
Enumerated Values
| Property | Value |
|---|---|
| type | asset-tag |
attachment
{
"id": "1337",
"type": "attachment",
"attributes": {
"expiring_url": "/system/attachments/files/000/001/337/original/root.rb?1454385906",
"created_at": "2016-02-02T04:05:06.000Z",
"file_name": "root.rb",
"content_type": "text/x-ruby",
"file_size": 2871
}
}
Users can add attachments when they file a report or when they interact with a report. Attachments may contain dangerous proof of concepts and should be handled with caution.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the attachment. |
| type | string | true | none |
| attributes | object | true | none |
| » file_name | string | true | The file name of the attachment. |
| » content_type | string | true | The content type of the attachment. The content type is derived from the contents and extension of the file. |
| » file_size | integer | true | The file size of the attachment in bytes. |
| » expiring_url | string | true | A URL to download the attachment. The URL will automatically expire after 60 minutes. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | attachment |
bounty
{
"id": "1337",
"type": "bounty",
"attributes": {
"amount": "500.00",
"bonus_amount": "50.00",
"created_at": "2016-02-02T04:05:06.000Z"
}
}
When a program pays a bounty to the hacker, a bounty object is created. A report may contain multiple bounty objects, one for each time a bounty was awarded. The hacker that reported the vulnerability is the user that received the bounty.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the bounty. |
| type | string | true | none |
| attributes | object | true | none |
| » amount | string¦null | false | Amount in USD. |
| » bonus_amount | string¦null | false | Bonus amount in USD. |
| » awarded_amount | string¦null | false | Amount in awarded currency. |
| » awarded_bonus_amount | string¦null | false | Bonus amount in awarded currency. |
| » awarded_currency | string¦null | false | The currency used to award the bounty and bonus. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | bounty |
earning
{
"id": 9,
"type": "earning-bounty-earned",
"attributes": {
"amount": 150,
"created_at": "2015-02-02T04:05:06.000Z"
}
}
An earning object
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the earning object |
| type | any | false | none |
| attributes | object | false | none |
| » amount | number | true | The amount that was earned |
| required | any | false | none |
| relationships | object | false | none |
| » team | object | false | The program where the earning was earned. |
| »» data | program | false | A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program. |
| » bounty | object | false | The bounty object for the earning, in the case of earning-bounty-earned type |
| »» data | bounty | false | When a program pays a bounty to the hacker, a bounty object is created. A report may contain multiple bounty objects, one for each time a bounty was awarded. The hacker that reported the vulnerability is the user that received the bounty. |
| » pentester | object | false | The pentester object for the earning, in the case of earning-pentest-completed |
| »» data | pentester | false | A pentester object represents a completion of a pentest by a user. |
| » report_retest_user | object | false | The report_retest_user object for the earning, in the case of earning-retest-completed |
| »» data | report_retest_user | false | none |
Enumerated Values
| Property | Value |
|---|---|
| type | earning-bounty-earned |
| type | earning-retest-completed |
| type | earning-checklist-check-completed |
| type | earning-pentest-completed |
group
{
"id": "1337",
"type": "group",
"attributes": {
"name": "Admin",
"created_at": "2016-02-02T04:05:06.000Z",
"permissions": [
"user_management",
"report_management"
]
}
}
A group represents a set of users. A group is used to delegate permissions for the users in it. It can also be assigned to one or multiple reports.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the group. |
| type | string | true | none |
| attributes | object | true | none |
| » name | string | true | The name of the group. |
| » permissions | [string] | true | The permissions of the group. Possible values are reward_management, program_management, user_management, and report_management. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | group |
hacker-asset-submission
{
"id": "1",
"type": "hacker-asset-submission",
"attributes": {
"identifier": "hackerone.com",
"description": "",
"asset_type": "domain",
"team_handle": "security",
"status": "in_review",
"created_at": "2022-10-02T04:05:06.000Z"
}
}
An hacker asset submission object contains the information that is associated to a hacker asset submission
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the hacker-asset-submission. |
| type | string | true | none |
| attributes | object | true | none |
| » identifier | string | false | The domain of the asset that is being submitted. |
| » team_handle | string | false | The handle of the team that the asset is being submitted to. |
| » asset_type | string | true | The type of asset you are submitting, currently only ‘domain’ |
| » status | string | false | The returned status field can be either “in_review” or “duplicate”. When the status is duplicate it means the asset was either already known in the customers asset inventory, or already submitted by someone else. |
| » description | string¦null | false | An optional description for additional information regarding how you found this asset and/or why you believe it belongs to this team. |
| » created_at | string(date-time) | false | The date and time the asset submission was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | hacker-asset-submission |
| asset_type | domain |
links
{
"data": [
{
"id": "1337",
"type": "some-object",
"attributes": {
"some_attribute": "some value"
},
"relationships": {
"some_relationship": {
"data": {
"id": "1337",
"type": "some-other-object",
"attributes": {
"some_attribute": "some value"
}
}
}
}
}
],
"links": {
"prev": "https://api.hackerone.com/v1/hackers/reports/1336",
"self": "https://api.hackerone.com/v1/hackers/reports/1337",
"next": "https://api.hackerone.com/v1/hackers/reports/1338"
}
}
When querying for multiple objects, the client needs to know how to query the next page. This kind of data is included in this attribute. In case there is no additional meta data, this attribute is not returned by the API.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| attributes | object | false | none |
| » prev | string | false | This attribute contains a URL to the previous page or previous resource when the resource or resources are paginated. |
| » self | string | false | This attribute contains a URL to the resource itself when it can be queried as a top level resource. At this moment, only report objects can be queried as individual resources. |
| » next | string | false | This attribute contains the URL to the next page or next resource when the resource or resources are paginated. |
payout
{
"amount": 100,
"paid_out_at": "2016-02-02T04:05:06.000Z",
"reference": "<reference>",
"payout_provider": "PayPal",
"status": "sent"
}
A payout object
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| amount | number | false | the amount in USD that was paid out |
| paid_out_at | date-time | false | The date and time the payout was created. Formatted according to ISO 8601. |
| reference | string | false | none |
| payout_provider | string | false | none |
| status | string | false | none |
pentest
{
"id": "123",
"type": "pentest",
"attributes": {
"name": "Name of the pentest",
"description": "This is the description"
}
}
A pentest object
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the pentest object |
| type | string | false | none |
| attributes | object | false | none |
| » name | string | false | The name of the pentest |
| » description | string | false | The description of the pentest |
| required | any | false | none |
Enumerated Values
| Property | Value |
|---|---|
| type | pentest |
pentester
{
"id": "123",
"type": "pentester",
"attributes": {
"completed_at": "2016-02-02T04:05:06.000Z",
"award_amount": "4000.00"
}
}
A pentester object represents a completion of a pentest by a user.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the pentester object |
| type | string | false | none |
| attributes | object | false | none |
| » amount | number | true | The amount that was earned by the user |
| » completed_at | string(date-time) | false | The date and time the user completed the pentest. Formatted according to ISO 8601. |
| required | any | false | none |
| relationships | object | false | none |
| » pentest | object | false | The pentest object completed by the user |
| »» data | pentest | false | A pentest object |
Enumerated Values
| Property | Value |
|---|---|
| type | pentester |
program
{
"id": "1337",
"type": "program",
"attributes": {
"handle": "security"
}
}
A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| handle | string | false | The unique handle of the program. |
| type | string | false | none |
| attributes | object | false | none |
| » handle | string | true | The handle of the program. Handles are unique and scoped under the same namespace as user usernames. |
| required | any | false | none |
| relationships | object | false | none |
| » structured_scopes | object | false | The assets of the program, which is used to determine whether a security vulnerability is within the scope of said program. |
| »» data | [structured-scope] | false | [A StructuredScope object represents an asset defined by the program. The scope on a report was initially provided by the hacker, but may be reviewed and corrected by the program. ] |
Enumerated Values
| Property | Value |
|---|---|
| type | program |
program_small
{
"id": "1337",
"type": "program",
"attributes": {
"handle": "security"
}
}
A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the program. |
| type | string | true | none |
| attributes | object | true | none |
| » handle | string | true | The handle of the program. Handles are unique and scoped under the same namespace as user usernames. |
Enumerated Values
| Property | Value |
|---|---|
| type | program |
report
{
"data": {
"id": "1337",
"type": "report",
"attributes": {
"title": "XSS in login form",
"state": "new",
"created_at": "2021-06-30T09:59:37.783Z",
"vulnerability_information": "Soo much vuln\n\n## Impact\n\nSoo much impact",
"triaged_at": null,
"closed_at": null,
"last_reporter_activity_at": "2021-06-30T09:59:38.294Z",
"first_program_activity_at": "2021-06-30T09:59:38.294Z",
"last_program_activity_at": "2021-06-30T09:59:38.294Z",
"bounty_awarded_at": null,
"swag_awarded_at": null,
"disclosed_at": null,
"reporter_agreed_on_going_public_at": null,
"last_public_activity_at": "2021-06-30T09:59:38.294Z",
"last_activity_at": "2021-06-30T09:59:38.294Z",
"cve_ids": []
},
"relationships": {
"reporter": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "hacker",
"name": "Hacker",
"disabled": false,
"created_at": "2021-05-28T11:27:05.082Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
},
"bio": "Hacker.",
"website": "https://example.com",
"location": "Hackland",
"hackerone_triager": false
}
}
},
"program": {
"data": {
"id": "1337",
"type": "program",
"attributes": {
"handle": "security",
"created_at": "2013-01-01T00:00:00.000Z",
"updated_at": "2021-06-25T10:04:59.678Z"
}
}
},
"severity": {
"data": {
"id": "74",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2021-06-30T09:59:38.029Z"
}
}
},
"swag": {
"data": []
},
"attachments": {
"data": []
},
"weakness": {
"data": {
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"external_id": "cwe-352",
"created_at": "2021-05-28T11:26:59.604Z"
}
}
},
"activities": {
"data": []
},
"bounties": {
"data": []
},
"summaries": {
"data": []
}
}
}
}
A report object contains the information that hackers submitted to a program, the interactions the program users had with the report, and all additional meta information like bounties, swag, and internal references.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the report. |
| type | string | true | none |
| attributes | object | true | none |
| » title | string | true | The title of the report. May be updated through the HackerOne interface. |
| » vulnerability_information | string | false | The raw report's vulnerability information. Markdown is not parsed. |
| » state | report-states | true | The report its current state. May be updated through the HackerOne interface or the HackerOne API. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| » triaged_at | string(date-time)¦null | true | The date and time the report was triaged. This attribute is reset when the report was reopened after it was triaged. Formatted according to ISO 8601. |
| » closed_at | string(date-time)¦null | true | The date and time the report was closed. This attribute is reset when the report was reopened after it was closed. Formatted according to ISO 8601. |
| » last_reporter_activity_at | string(date-time)¦null | true | The date and time that the most recent reporter activity was posted on the report. Formatted according to ISO 8601. |
| » first_program_activity_at | string(date-time)¦null | true | The date and time that the first program activity was posted on the report. Formatted according to ISO 8601. |
| » last_program_activity_at | string(date-time)¦null | true | The date and time that the most recent program activity was posted on the report. Formatted according to ISO 8601. |
| » last_activity_at | string(date-time)¦null | true | The date and time that the most recent activity was posted on the report. Formatted according to ISO 8601. |
| » last_public_activity_at | string(date-time)¦null | true | The date and time that the most recent public activity was posted on the report. Formatted according to ISO 8601. |
| » bounty_awarded_at | string(date-time)¦null | true | The date and time that the most recent bounty was awarded on the report. Formatted according to ISO 8601. |
| » swag_awarded_at | string(date-time)¦null | true | The date and time that the most recent swag was awarded on the report. Formatted according to ISO 8601. |
| » disclosed_at | string(date-time)¦null | true | The date and time the report was disclosed. Formatted according to ISO 8601. |
| » reporter_agreed_on_going_public_at | string(date-time)¦null | true | The date and time the reporter agreed for the public disclosure. Formatted according to ISO 8601. |
| » cve_ids | [string] | false | An assigned CVE id(s) for this report |
| relationships | object | true | none |
| » program | object | true | The program that received the report. |
| »» data | program_small | false | A program object represents a disclosure program or bug bounty program on the platform. When a user reports a bug to a program, this is the object they interact with. Behind a program, there can be multiple users that are part of the program. Those users can interact with reports on behalf of the program. |
| » attachments | object | false | A list of Attachment objects that the reporter added to the report. |
| »» data | [attachment] | false | [Users can add attachments when they file a report or when they interact with a report. Attachments may contain dangerous proof of concepts and should be handled with caution. ] |
| » swag | object | false | A list of Swag objects that were awarded to the reporter. |
| »» data | [swag] | false | [Besides a financial reward, which is called a bounty, programs can award swag. Report objects may contain multiple swag objects, one for each time swag was awarded. ] |
| » weakness | object | false | The Weakness object of the report provided by the reporter or team. |
| »» data | weakness | false | A Weakness object represents the type of weakness the hacker submitted to a program. The weakness was initially provided by the hacker, but may be reviewed and corrected by the program. |
| » structured_scope | object | false | The StructuredScope object of the report provided by the reporter or team. |
| »» data | structured-scope | false | A StructuredScope object represents an asset defined by the program. The scope on a report was initially provided by the hacker, but may be reviewed and corrected by the program. |
| » severity | object | false | The Severity object of the report provided by the reporter or team. |
| »» data | severity | false | A severity object represents the severity of a report, if provided by the reporter or a team member. |
| » reporter | object | false | The user that created the report. This object contains the user's reputation, signal, and impact metrics. |
| »» data | user | false | User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account. |
| » activities | object | false | A list of Activity objects that can be used to generate a timeline of changes. Activities are ordered by most recent first. |
| »» data | [activity] | false | [These objects represent an action that was performed on a report. Activities come in many sub types that can have additional attributes. ] |
| » bounties | object | false | A list of Bounty objects that were awarded to the reporter. |
| »» data | [bounty] | false | [When a program pays a bounty to the hacker, a bounty object is created. A report may contain multiple bounty objects, one for each time a bounty was awarded. The hacker that reported the vulnerability is the user that received the bounty. ] |
| » summaries | object | false | A list of Report Summary objects that were added to the report by the reporter and team. |
| »» data | [report-summary] | false | [Before a report is disclosed, the program, the HackerOne Triage team and hacker may add a summary. A report can have only one summary per party. Unlike activities, summaries can be edited through HackerOne indefinitely. Triage summaries are only visible to team members and the HackerOne Triage team. ] |
Enumerated Values
| Property | Value |
|---|---|
| type | report |
report-retest
{
"id": "123",
"type": "report-retest"
}
A report-retest object
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the report-retest object |
| type | string | false | none |
| attributes | object | false | none |
| required | any | false | none |
| relationships | object | false | none |
| » report | object | false | The retested report |
| »» data | report | false | A report object contains the information that hackers submitted to a program, the interactions the program users had with the report, and all additional meta information like bounties, swag, and internal references. |
Enumerated Values
| Property | Value |
|---|---|
| type | report-retest |
report-retest-user
{
"id": "1223",
"type": "report-retest-user",
"attributes": {
"completed_at": "2016-02-02T04:05:06.000Z"
}
}
A report-retest-user object represents a completion of a retest by a user.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | false | The unique ID of the report-retest-user object |
| type | string | false | none |
| attributes | object | false | none |
| » completed_at | string(date-time) | false | The date and time the user completed the retest. Formatted according to ISO 8601. |
| required | any | false | none |
| relationships | object | false | none |
| » report_retest | object | false | The retest object completed by the user |
| »» data | report-retest | false | A report-retest object |
Enumerated Values
| Property | Value |
|---|---|
| type | report-retest-user |
report-states
"new"
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| report-states | string | false | none |
Enumerated Values
| Property | Value |
|---|---|
| report-states | new |
| report-states | pending-program-review |
| report-states | triaged |
| report-states | needs-more-info |
| report-states | resolved |
| report-states | not-applicable |
| report-states | informative |
| report-states | duplicate |
| report-states | spam |
| report-states | retesting |
report-summary
{
"id": "1337",
"type": "report-summary",
"attributes": {
"content": "There was a cross-site scripting vulnerability in our login form.",
"category": "team",
"created_at": "2016-02-02T04:05:06.000Z",
"updated_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
}
}
}
Before a report is disclosed, the program, the HackerOne Triage team and hacker may add a summary. A report can have only one summary per party. Unlike activities, summaries can be edited through HackerOne indefinitely. Triage summaries are only visible to team members and the HackerOne Triage team.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the report summary. |
| type | string | true | none |
| attributes | object | true | none |
| » content | string | true | The raw summary of the report. Markdown is not parsed. |
| » category | string | true | The involved party that wrote the summary. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| » updated_at | string(date-time) | true | The date and time the object was last updated. Formatted according to ISO 8601. |
| relationships | object | true | none |
| » user | object | true | The author that added the summary to the report. |
| »» data | user | false | User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account. |
Enumerated Values
| Property | Value |
|---|---|
| type | report-summary |
| category | researcher |
| category | team |
| category | triage |
severity
{
"id": "57",
"type": "severity",
"attributes": {
"rating": "high",
"author_type": "User",
"user_id": 1337,
"created_at": "2016-02-02T04:05:06.000Z",
"score": 8.7,
"attack_complexity": "low",
"attack_vector": "adjacent",
"availability": "high",
"confidentiality": "low",
"integrity": "high",
"privileges_required": "low",
"user_interaction": "required",
"scope": "changed"
}
}
A severity object represents the severity of a report, if provided by the reporter or a team member.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the severity. |
| type | string | true | none |
| attributes | object | true | none |
| » rating | severity-ratings | true | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
| » author_type | string | true | The involved party that provided the severity. |
| » user_id | integer | true | The unique id of the user who created the object. |
| » score | number¦null | false | The vulnerability score calculated from the Common Vulnerability Scoring System (CVSS). Only present if CVSS metrics were provided. |
| » attack_vector | string¦null | false | A CVSS metric that reflects the context by which vulnerability exploritation is possible. |
| » attack_complexity | string | false | A CVSS metric that describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. |
| » privileges_required | string | false | A CVSS metric that describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. |
| » user_interaction | string | false | A CVSS metric that captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerability component. |
| » scope | string¦null | false | A CVSS metric that determines if a successful attack impacts a component other than the vulnerable component. |
| » confidentiality | string | false | A CVSS metric that measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. |
| » integrity | string | false | A CVSS metric that measures the impact to the integrity of a successfully exploited vulnerability. |
| » availability | string | false | A CVSS metric that measures the availability of the impacted component resulting from a successfully exploited vulnerability. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | severity |
| author_type | User |
| author_type | Team |
| attack_vector | network |
| attack_vector | adjacent |
| attack_vector | local |
| attack_vector | physical |
| attack_complexity | low |
| attack_complexity | high |
| privileges_required | none |
| privileges_required | low |
| privileges_required | high |
| user_interaction | none |
| user_interaction | required |
| scope | unchanged |
| scope | changed |
| confidentiality | none |
| confidentiality | low |
| confidentiality | high |
| integrity | none |
| integrity | low |
| integrity | high |
| availability | none |
| availability | low |
| availability | high |
severity-ratings
"none"
The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| severity-ratings | string | false | The qualitative rating of the severity. Provided either directly from the author or mapped from the calculated vulnerability score. |
Enumerated Values
| Property | Value |
|---|---|
| severity-ratings | none |
| severity-ratings | low |
| severity-ratings | medium |
| severity-ratings | high |
| severity-ratings | critical |
structured-scope
{
"id": "57",
"type": "structured-scope",
"attributes": {
"asset_identifier": "api.example.com",
"asset_type": "URL",
"confidentiality_requirement": "high",
"integrity_requirement": "high",
"availability_requirement": "high",
"max_severity": "critical",
"created_at": "2015-02-02T04:05:06.000Z",
"updated_at": "2016-05-02T04:05:06.000Z",
"instruction": null,
"eligible_for_bounty": true,
"eligible_for_submission": true,
"reference": "H001001"
}
}
A StructuredScope object represents an asset defined by the program. The scope on a report was initially provided by the hacker, but may be reviewed and corrected by the program.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the scope. |
| type | string | true | none |
| attributes | object | true | none |
| » asset_identifier | string | true | The identifier of the asset. |
| » asset_type | string | true | The type of the asset. |
| » eligible_for_bounty | boolean | true | If the asset is eligible for bounty. |
| » eligible_for_submission | boolean | true | If the asset is eligible for submission. |
| » instruction | string¦null | false | The raw intruction of the asset provided by the program. Markdown is not parsed. |
| » confidentiality_requirement | any | false | A CVSS environmental modifier that reweights Confidentiality Impact of a vulnerability on this asset. |
| » integrity_requirement | any | false | A CVSS environmental modifier that reweights Integrity Impact of a vulnerability on this asset. |
| » availability_requirement | any | false | A CVSS environmental modifier that reweights Availability Impact of a vulnerability on this asset. |
| » max_severity | any | true | The qualitative rating of the maximum severity allowed on this asset. Its value is calculated from the combination of all three of the environmental requirements (CR, IR, and AR). |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| » updated_at | string(date-time) | true | The date and time the object was updated. Formatted according to ISO 8601. |
| » reference | string¦null | false | The customer defined reference identifier or tag of the asset. |
Enumerated Values
| Property | Value |
|---|---|
| type | structured-scope |
| confidentiality_requirement | none |
| confidentiality_requirement | low |
| confidentiality_requirement | medium |
| confidentiality_requirement | high |
| integrity_requirement | none |
| integrity_requirement | low |
| integrity_requirement | medium |
| integrity_requirement | high |
| availability_requirement | none |
| availability_requirement | low |
| availability_requirement | medium |
| availability_requirement | high |
| max_severity | none |
| max_severity | low |
| max_severity | medium |
| max_severity | high |
| max_severity | critical |
swag
{
"id": "1337",
"type": "swag",
"attributes": {
"sent": false,
"created_at": "2016-02-02T04:05:06.000Z"
},
"relationships": {
"user": {
"data": {
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
},
"address": {
"data": {
"id": "1337",
"type": "address",
"attributes": {
"name": "Jane Doe",
"street": "535 Mission Street",
"city": "San Francisco",
"postal_code": "94105",
"state": "CA",
"country": "United States of America",
"created_at": "2016-02-02T04:05:06.000Z",
"tshirt_size": "W_Large",
"phone_number": "+1-510-000-0000"
}
}
}
}
}
Besides a financial reward, which is called a bounty, programs can award swag. Report objects may contain multiple swag objects, one for each time swag was awarded.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the swag. |
| type | string | true | none |
| attributes | object | true | none |
| » sent | boolean | true | Indicates whether the swag has been marked as sent. Swag can be marked as sent through the HackerOne interface. |
| » created_at | string(data-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| relationships | object | false | none |
| » user | object | true | none |
| »» data | user | false | The user the swag was awarded to. |
| » address | object | true | none |
| »» data | address | false | The user's address to send the swag to. |
Enumerated Values
| Property | Value |
|---|---|
| type | swag |
user
{
"id": "1337",
"type": "user",
"attributes": {
"username": "api-example",
"name": "API Example",
"disabled": false,
"created_at": "2016-02-02T04:05:06.000Z",
"profile_picture": {
"62x62": "/assets/avatars/default.png",
"82x82": "/assets/avatars/default.png",
"110x110": "/assets/avatars/default.png",
"260x260": "/assets/avatars/default.png"
}
}
}
User objects represent accounts on HackerOne. These objects are mostly referenced when someone performed an action using that account. All different actors on the platform, hackers, API users, and program users, have a user account.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the user. |
| type | string | true | none |
| attributes | object | true | none |
| » disabled | boolean | true | Indicates if the user is disabled. |
| » username | string | true | The username of the user. Usernames are unique and scoped under the same namespace as program handles. |
| » name | string | true | The name of the user. A name may be empty and is free-format. |
| » profile_picture | object | true | An object that holds URLs to different profile picture sizes. |
| »» 62x62 | string | true | none |
| »» 82x82 | string | true | none |
| »» 110x110 | string | true | none |
| »» 260x260 | string | true | none |
| » bio | string¦null | false | The user's biography, as provided by the user. |
| » website | string¦null | false | The user's website, as provided by the user. |
| » location | string¦null | false | The user's location, as provided by the user. |
| » reputation | number¦null | false | The reputation of the user. Read more about how this number is calculated href="https://www.hackerone.com/blog/introducing-reputation">here. This attribute is only included in the reporter relationship of a report object. |
| » signal | number¦null | false | The signal of the user. This number ranges from -10 to 7. The closer to 7, the higher the average submission quality of the user. This attribute is only included in the reporter relationship of a report object. Learn more about how this number is calculated href="https://www.hackerone.com/blog/introducing-signal-and-impact">here. |
| » impact | number¦null | false | The impact of the user. This number ranges from 0 to 50. The closer to 50, the higher the average severity of the user's reports is. This attribute is only included in the reporter relationship of a report object. Learn more about how this number is calculated href="https://www.hackerone.com/blog/introducing-signal-and-impact">here. |
| » hackerone_triager | boolean¦null | false | Indicates if the user is a hackerone triager. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
| relationships | object | false | none |
| » participating_programs | object | false | none |
| »» data | [object] | false | List of private programs that you manage where this user is invited to. This attribute is only included when making use of the User > Read endpoint. |
Enumerated Values
| Property | Value |
|---|---|
| type | user |
weakness
{
"id": "1337",
"type": "weakness",
"attributes": {
"name": "Cross-Site Request Forgery (CSRF)",
"description": "The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.",
"created_at": "2016-02-02T04:05:06.000Z",
"external_id": "cwe-352"
}
}
A Weakness object represents the type of weakness the hacker submitted to a program. The weakness was initially provided by the hacker, but may be reviewed and corrected by the program.
Attributes
| Name | Type | Required | Description |
|---|---|---|---|
| id | string | true | The unique ID of the weakness. |
| type | string | true | none |
| attributes | object | false | none |
| » name | string | true | The name of the weakness. |
| » description | string | true | The raw description of the weakness. Markdown is not parsed. |
| » external_id | string | true | The weakness' external reference to CWE or CAPEC. |
| » created_at | string(date-time) | true | The date and time the object was created. Formatted according to ISO 8601. |
Enumerated Values
| Property | Value |
|---|---|
| type | weakness |